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Abstract 

The  Clinger-Cohen  Act  mandated  changes  to  the  way  DoD  selects  and  manages  information  technology 
resources  and  emphasized  that  information  technology  was  an  enabler  of  business  process  reengineering. 
The  Chief  Information  Officer,  DoD,  oversees  all  DoD  information  technology  investments.  To  help 
ensure  effective  oversight  of  DoD  information  technology  investments.  Congress  included  Section 
8121(b)  in  the  FY  2000  DoD  Appropriations  Act.  This  act  required  the  Chief  Information  Officer,  DoD, 
to  certify,  prior  to  Milestone  I,  II,  or  III  approval,  that  major  automated  information  systems  were  being 
developed  in  accordance  with  the  Clinger-Cohen  Act.  Section  8121(b)  also  required  the  Chief  Information 
Officer,  DoD,  to  inform  Congress  of  the  certifications  and  to  provide  confirmation  that  DoD  Components 
took  certain  steps  with  respect  to  the  system  certification,  to  include  business  process  reengineering, 
analysis  of  alternatives,  economic  analysis,  performance  measures,  and  an  information  assurance  strategy. 
This  audit  was  the  first  in  a  series  of  planned  audits  of  information  systems  that  were  certified  by  DoD  as 
being  compliant  with  the  Clinger-Cohen  Act.  DoD  authorized  the  development  of  the  modern  Defense 
Civilian  Personnel  Data  System  in  December  1994  to  support  the  regionalization  of  civilian  personnel 
operations,  which  included  workforce  reduction.  DoD  planned  to  concurrently  field  the  Defense  Civilian 
Personnel  Data  System  modernization  and  complete  regionalization  by  December  1998.  DoD  completed 
regionalization  by  June  1999,  but,  as  of  May  2001,  full-scale  deployment  of  Defense  Civilian  Personnel 
Data  System  had  occurred  at  only  5  of  the  26  proposed  sites.  Of  the  remaining  21  sites,  program  officials 
expanded  testing  at  6  of  the  sites  and  planned  to  complete  deployment  for  15  sites  by  September  2001, 
almost  two  years  after  the  completion  of  reengineering.  On  May  10,  2000,  the  Chief  Information  Officer, 
DoD,  certified  that  the  Defense  Civilian  Personnel  Data  System  was  being  developed  in  accordance  with 
the  Clinger-Cohen  Act. 
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June  7,  2001 

MEMORANDUM  FOR  ASSISTANT  SECRETARY  OF  DEFENSE  (COMMAND, 

CONTROL,  COMMUNICATIONS,  AND  INTELLIGENCE) 
DIRECTOR,  CIVILIAN  PERSONNEL  MANAGEMENT 
SERVICE 

Subject:  Audit  Report  on  Certification  of  the  Defense  Civilian  Personnel 
Data  System  (Report  No.  D-2001-137) 


We  are  providing  this  audit  report  for  review  and  comment.  We  considered 
management  comments  on  a  draft  of  ^s  report  when  preparing  the  final  report. 

DoD  Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly. 
The  Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence)  comments  were  partially  responsive  to  Recommendations  l.a.,  l.b.,  and 
l.d.  Additionally,  as  a  result  of  management  comments,  we  revised 
Recommendation  1  .c.  The  Director,  Civilian  Personnel  Management  Service, 
nonconcurred  with  Recommendations  2. a.  and  2.b.  We  revised  both  recommendations 
in  recognition  of  management  concerns.  We  request  that  the  Assistant  Secretary  of 
Defense  (Command,  Control,  Communications,  and  Intelligence)  and  the  Director, 
Civilian  Personnel  Management  Service,  provide  additional  comments  by  July  9,  2001 . 

Questions  on  the  audit  should  be  directed  to  Ms.  Wanda  A.  Hopkins  at 
(703)  604-9049  (DSN  664-9049)  (wahopkins@dodig.osd.mil)  or  Mr.  James  W. 
Hutchinson  at  (703)  604-9060  (DSN  664-9060)  (jhutchinson@dodig.osd.mil).  See 
Appendix  E  for  the  report  distribution.  The  audit  team  members  are  listed  inside  the 
back  cover. 


Thomas  F.  Gimble 
Acting 

Deputy  Assistant  Inspector  General 
for  Auditing 
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Certification  of  the  Defense 
Civilian  Personnel  Data  System 


Executive  Summary 


Introduction.  The  Clinger-Cohen  Act  mandated  changes  to  the  way  DoD  selects  and 
manages  information  technology  resources  and  emphasized  that  information  technology 
was  an  enabler  of  business  process  reengineering.  The  Chief  Information  Officer,  DoD, 
oversees  all  DoD  information  technology  investments.  To  help  ensure  effective  oversight 
of  DoD  information  technology  investments.  Congress  included  Section  8121(b)  in  the 
FY  2000  DoD  Appropriations  Act.  This  act  required  the  Chief  Information  Officer,  DoD, 
to  certify,  prior  to  Milestone  I,  II,  or  III  approval,  that  major  automated  information 
systems  were  being  developed  in  accordance  with  the  Clinger-Cohen  Act.  Section  8121(b) 
also  required  the  Chief  Information  Officer,  DoD,  to  inform  Congress  of  the  certifications 
and  to  provide  confirmation  that  DoD  Components  took  certain  steps  with  respect  to  the 
system  certification,  to  include  business  process  reengineering,  analysis  of  alternatives, 
economic  analysis,  performance  measures,  and  an  information  assurance  strategy.  This 
audit  was  the  first  in  a  series  of  planned  audits  of  information  systems  that  were  certified 
by  DoD  as  being  compliant  with  the  Clinger-Cohen  Act. 

DoD  authorized  the  development  of  the  modem  Defense  Civilian  Personnel  Data  System 
in  December  1994  to  support  the  regionalization  of  civilian  personnel  operations,  which 
included  workforce  reduction.  DoD  planned  to  concurrently  field  the  Defense  Civilian 
Personnel  Data  System  modernization  and  complete  regionalization  by  December  1998. 
DoD  completed  regionalization  by  June  1999,  but,  as  of  May  2001,  full-scale  deployment 
of  Defense  Civilian  Personnel  Data  System  had  occurred  at  only  5  of  the  26  proposed 
sites.  Of  the  remaining  21  sites,  program  officials  expanded  testing  at  6  of  the  sites  and 
planned  to  complete  deployment  for  15  sites  by  September  2001,  almost  two  years  after 
the  completion  of  reengineering.  On  May  10,  2000,  the  Chief  Information  Officer,  DoD, 
certified  that  the  Defense  Civilian  Personnel  Data  System  was  being  developed  in 
accordance  with  the  Clinger-Cohen  Act. 

Objectives.  The  audit  objective  was  to  determine  whether  DoD  oversight  processes  and 
procedures  provided  the  Chief  Information  Officer,  DoD,  sufficient  basis  to  certify  that 
the  Defense  Civilian  Personnel  Data  System  was  managed  in  accordance  with  the 
Clinger-Cohen  Act.  In  subsequent  reports,  we  will  evaluate  the  basis  for  certification  of 
other  systems,  assess  DoD  progress  in  implementing  the  Clinger-Cohen  Act,  and  review 
related  management  controls. 

Results.  The  Chief  Information  Officer,  DoD,  did  not  have  sufficient  basis  to  certify, 
without  qualification,  that  the  Defense  Civilian  Personnel  Data  System  had  been  developed 
in  accordance  with  the  Clinger-Cohen  Act.  Specifically,  the  Chief  Information  Officer, 
DoD,  lacked  sufficient  basis  for  unconditional  certification  because  previously  identified 
Clinger-Cohen  compliance  issues  were  not  fully  resolved  or  recognized,  relevant  data 
were  not  adequately  analyzed,  and  key  acquisition  documents  either  were  not  prepared  or 


were  not  prepared  and  approved  in  a  timely  manner.  Additionally,  milestone  exit  criteria 
were  not  well  defined  or  sufficiently  tracked  and  enforced.  Further,  DoD  oversight  did 
not  include  specific  criteria  or  a  commonly  defined  approach  for  evaluating  the  basis  for 
Clinger-Cohen  certification.  As  a  result,  the  certification  requirement  was  not  an  effective 
means  for  ensuring  Defense  Civilian  Personnel  Data  System  compliance  with  the 
Clinger-Cohen  Act.  The  DoD  is  continuing  to  refine  its  information  technology 
acquisition  review  processes  and  needs  to  consider  the  lessons  learned  from  its  initial 
experiences  in  section  8121(b)  implementation,  which  includes  the  need  for  better 
guidance  and  oversight. 

Summary  of  Recommendations.  We  recommend  that  the  Chief  Information  Officer, 
DoD,  clarify  and  enhance  the  methodology  for  determining  Clinger-Cohen  compliance; 
improve  information  technology  oversight  processes  by  periodically  confirming  the 
accuracy  and  adequacy  of  information  reported  by  DoD  Components;  coordinate  with  the 
Civilian  Personnel  Management  Service  to  implement  common  DoD-wide  performance 
measures;  and  continue  oversight  of  post-development  Defense  Civilian  Personnel  Data 
System  program  activities.  We  also  recommend  that  the  Director,  Civilian  Personnel 
Management  Service,  reassess  system  interfaces  and  enhance  user  guidance  to  ensure  that 
the  information  assurance  posture  of  the  system  is  appropriate. 

Management  Comments.  Management  commented  that  we  inappropriately  describe 
previously  identified  issues  as  Clinger-Cohen  Act  compliance  issues  because  associated 
decisions  were  made  before  the  Act  was  legislated.  The  Acting  Deputy  Assistant 
Secretary  of  Defense  (Deputy  Chief  Information  Officer)  concurred  with  the 
recommendations  to  clarify  and  strengthen  the  certification  criteria  and  processes  used  by 
the  Chief  Information  Officer  and  the  DoD  Components  to  determine  whether  major 
automated  information  systems  are  developed  in  accordance  with  the  Clinger-Cohen  Act. 
However,  the  Deputy  Assistant  Secretary  nonconcurred  with  the  draft  recommendation  to 
implement  standardized  functional  performance  measures  because  implementation  is  a 
responsibility  of  the  system  owner.  Additionally,  the  Acting  Assistant  Secretary  of 
Defense  (Force  Management  Policy)  and  the  Director,  Civilian  Personnel  Management 
Service,  jointly  indicated  nonconcurrence  with  both  recommendations  on  information 
assurance  stating  that  all  system  interfaces  were  appropriately  secured  and  processes 
documented,  and  that  the  related  recommendations  should  be  removed. 

Audit  Response.  We  recognize  that  the  basis  for  some  issues  predates  the  passage  of  the 
Clinger-Cohen  Act  in  1996,  but  the  concepts  mandated  by  the  Act  were  not  new  to  DoD. 
Similar  Office  of  Management  and  Budget  and  DoD  policy  and  requirements  existed  prior 
to  the  enactment  of  Clinger-Cohen  and  were  fully  applicable  to  Defense  Civilian  Personnel 
Data  System  program  decisions  made  before  and  after  the  enactment  of  Clinger-Cohen. 
Although  the  Acting  Deputy  Assistant  Secretary  (Deputy  Chief  Information  Officer) 
concurred  with  most  recommendations,  the  comments  were  partially  responsive.  We 
asked  for  additional  comments  on  the  development  of  an  action  plan  for  enhancing  Chief 
Information  Officer  oversight  and  completion  dates  for  the  recommendations.  We  also 
revised  Recommendation  l.c.  on  implementing  performance  measures  to  more 
appropriately  focus  on  the  role  of  oversight.  Based  on  the  comments  of  the  Director, 
Civilian  Personnel  Management  Service,  we  revised  both  recommendations  related  to 
information  assurance.  We  revised  Recommendation  2. a.  so  that  we  no  longer  tied  system 
deployment  at  additional  sites  to  the  implementation  of  our  recommendations.  We  also 
revised  Recommendation  2.b.  to  allow  flexibility  in  publishing  the  enhanced  security 
guidance  as  long  as  the  guidance  is  documented  and  easily  accessible.  We  request  that 
management  provide  additional  comments  on  the  final  report  by  July  9,  2001. 
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Background 


In  the  mid-1990s.  Congress  passed  several  pieces  of  reform  legislation  designed 
to  improve  the  management  and  performance  of  Federal  agencies.  The  reform 
legislation  responded  to  the  inability  of  Federal  agencies  to  effectively  manage 
the  acquisition  of  information  technology  (IT)  systems  that  met  the  needs  of 
functional  users.  One  major  reform  initiative  was  the  Information  Technology 
Management  Reform  Act  of  1996,  which  was  subsequently  retitled  the 
Clinger-Cohen  Act  of  1996. 

Clinger-Cohen  Act  of  1996.  The  Clinger-Cohen  Act  of  1996  (CCA)  requires 
Federal  agencies  to  focus  on  the  results  achieved  through  IT  investments  while 
streamlining  the  Federal  IT  procurement  process.  Specifically,  the  CCA 
required  agencies  to  design  and  implement  a  structure  and  process  for  acquiring 
and  managing  IT.  One  of  the  primary  requirements  of  the  CCA  was  the 
establishment  of  the  position  of  the  Chief  Information  Officer  for  each  Federal 
agency. 

To  comply  with  this  requirement,  in  June  1997,  the  Secretary  of  Defense 
designated  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  as  the  Chief  Information  Officer,  DoD  (the 
CIO),  and  conferred  the  authority  and  responsibility  for  implementing  all 
aspects  of  the  CCA.  The  CIO  responsibilities  include: 

•  designing  and  implementing  a  process  for  maximizing  the  value  and 
assessing  and  managing  the  risks  of  DoD  IT  acquisitions  (delegated 
by  the  Secretary  of  Defense); 

•  institutionalizing  performance-  and  results-based  IT  management 
(delegated  by  the  Secretary  of  Defense);  and 

•  providing  advice  and  other  assistance  to  the  Secretary  of  Defense  and 
other  senior  DoD  managers  to  ensure  that  the  acquisition  of  IT  and 
information  resources  was  managed  in  accordance  with  the  policies 
of  the  CCA. 

The  Secretary  of  Defense  also  made  the  CIO  responsible  for  the  management 
and  oversight  of  all  DoD  IT  systems.  Specific  responsibilities  included 
overseeing  the  performance  of  IT  programs  and  measuring  program  progress 
through  system  milestone  reviews. 

Congressional  Concerns.  In  the  House  of  Representatives  Report  106-244, 
“Report  of  the  Committee  on  Appropriations,”  July  20,  1999,  the  House 
Committee  on  Appropriations  expressed  disappointment  in  the  effectiveness  of 
management  oversight  of  DoD  IT  system  acquisition  projects.  Specifically,  the 
Committee  stated  that  IT  systems  tended  to  overrun  budgets,  slip  schedules, 
evade  data  standardization  and  interoperability  requirements,  and  shortchange 
user  needs.  In  an  attempt  to  address  some  of  those  concerns.  Congress 
developed  provisions  to  prohibit  any  DoD  IT  system  from  receiving  approval  in 
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an  acquisition  development  milestone  decision  without  written  certification  from 
the  CIO  that  the  system  has  been  developed  in  accordance  with  the  CCA. 

Statutory  Requirements.  Additionally,  Congress  enacted  section  8121(b), 
“Certifications  as  to  Compliance  with  the  Clinger-Cohen  Act”  of  the  FY  2000 
DoD  Appropriations  Act,  which  states: 

(1)  During  the  fiscal  year  2000,  a  major  automated  information  system 
may  not  receive  Milestone  I  approval,  Milestone  II  approval,  or 
Milestone  III  approval  within  the  Department  of  Defense  until  the 
Chief  Information  Officer  certifies,  with  respect  to  that  milestone,  that 
the  system  is  being  developed  in  accordance  with  the  Clinger-Cohen 
Act  of  1996  (40  U.S.C  1401  et  seq.).  The  Chief  Information  Officer 
may  require  additional  certifications,  as  appropriate,  with  respect  to 
any  such  system. 

(2)  The  Chief  Information  Officer  shall  provide  the  congressional 
defense  committees  timely  notification  of  certifications  under 
paragraph  (1).  Each  such  notification  shall  include,  at  a  minimum,  the 
funding  baseline  and  milestone  schedule  for  each  system  covered  by 
such  a  certification  and  confirmation  that  the  following  steps  have 
been  taken  with  respect  to  the  system: 


A) 

Business  process  reengineering. 

B) 

An  analysis  of  alternatives. 

C) 

An  economic  analysis  that  includes  a  calculation  of  the 
return  on  investment. 

D) 

Performance  measures. 

E) 

An  information  assurance  strategy  consistent  with  DoD 

Command,  Control,  Communications,  Computers, 

Intelligence,  and  Reconnaissance  Architecture 

Framework. 

On  October  30,  2000,  Congress  enacted  Public  Law  106-398,  the  FY  2001  DoD 
Authorization  Act,  section  811(c),  “Milestone  Approval  For  Major  Automated 
Information  Systems,”  which  reinforced  the  requirements  of  section  8121(b)  and 
clarified  that  the  CIO  shall  determine  whether  the  IT  system  was  being 
developed  in  accordance  with  the  requirements  of  division  E  of  the  CCA. 

Related  DoD  Policy  and  Requirements.  The  specific  interest  items  iterated  in 
section  8121(b)  were  specifically  recognized  and  required  by  DoD  policy  and 
guidance  prior  to  passage  of  the  CCA  in  1996.  DoD  Directive  8000.1, 

“Defense  Information  Management  (IM)  Program,”  October  27,  1992,  provides 

high-level  DoD  policy  regarding  information  management,  including  supporting 
IT  systems.  The  Directive  levies  requirements  and  responsibilities  for  business 
process  streamlining  and  improvements;  preparing  and  validating  functional 
economic  analyses,  which  includes  analyses  of  alternatives  and  investment  risk; 
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developing  functional  process  performance  measures  and  assessments;  and 
ensuring  appropriate  information  security.  Additionally,  DoD  Directive  8120.1, 
“Life-Cycle  Management  (LCM)  of  Automated  Information  Systems  (AISs),” 
January  14,  1993, ^had  stated  that  it  was  DoD  policy  to  control  IT  system 
expenditures  to  ensure  that  derived  benefits  satisfy  mission  needs  to  the  greatest 
extent  possible  and  in  the  most  cost-effective  manner.  Accordingly, 

Directive  8120.1  emphasized  the  importance  of  those  specific  section  8121(b) 
interest  items  that  are  critical  in  the  “early-on”  IT  development  stages, 
especially  those  related  to  improving  business  processes  and  examining 
alternatives  and  projecting  related  costs  and  benefits.  DoD  acquisition  guidance 
also  contained  requirements  related  to  basic  principles  of  sound  system 
acquisition  management. 

Acquisition  Program  Milestones.  A  milestone  is  a  decision  point  that 
separates  major  phases  of  an  acquisition  program.  Until  October  2000,  the 
major  DoD  acquisition  phases  included  Concept  Exploration  (Phase  0),  Program 
Definition  and  Risk  Reduction  (Phase  I),  Engineering  and  Manufacturing 
Development  (Phase  II),  and  Production,  Fielding/Deployment,  and  Operational 
Support  (Phase  III).  DoD  acquisition  policy  requires  a  milestone  decision 
before  an  acquisition  program  may  progress  to  the  next  phase  of  development. 
The  CIO,  as  the  Milestone  Decision  Authority  (MDA)  for  major  automated 
information  systems,  approved  milestone  decisions  for  high-cost  or  special 
interest  IT  acquisition  programs.  In  October  2000,  DoD  substantially  revised  its 
acquisition  guidance  and  requirements.  Those  revisions  included  a  reduced 
number  of  major  milestone  phases  and  associated  decision  points.  DoD  also 
revised  acquisition  regulations  to  more  clearly  and  effectively  implement  various 
aspects  of  IT  reform  legislation,  including  those  related  to  the  CCA. 

Key  Acquisition  Documents.  As  part  of  the  acquisition  program  milestone 
review,  key  acquisition  documents,  such  as  an  Acquisition  Program  Baseline 
and  Test  and  Evaluation  Master  Plan,  are  fundamental  to  the  effective 
acquisition  management  and  oversight  of  IT  systems.  Accordingly,  senior 
representatives  from  the  Office  of  the  Secretary  of  Defense  rely  on  key 
acquisition  documents  to  help  implement  the  CCA.  Although  DoD 
de-emphasized  some  mandatory  documentation  requirements,  DoD  provided 
clear  direction  on  statutory  and  regulatory  requirements  for  appropriate  program 
documentation  for  milestone  reviews. 

Defense  Civilian  Personnel  Data  System.  On  May  10,  2000,  the  Defense 
Civilian  Personnel  Data  System  (DCPDS)  was  certified  as  one  of  the  first 
systems  developed  in  accordance  with  the  CCA.  The  primary  goal  of  the 
DCPDS  Program  was  to  provide  all  DoD  Components  with  a  single, 
standardized,  automated  civilian  personnel  management  system  that  would 
provide  the  software  application  tools  and  the  requisite  hardware  to  support 
regionalization  of  DoD  civilian  personnel  mission  requirements  and  operations 
and  a  reduced  workforce.  Initially,  DoD  planned  to  field  the  modem  DCPDS 
and  complete  regionalization  by  December  1998.  By  June  1999,  DoD 


'  DoD  Directive  5000.1,  “Defense  Acquisition,”  March  15,  1996,  cancelled  DoD  Directive  8120.1  and 
incorporated  the  policies  and  requirements  on  life-cycle  management  for  automated  information  systems. 
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completed  regionalization  of  all  22  regional  support  centers.  However,  initial 
deployment  of  the  DCPDS  did  not  start  until  Oetober  1999,  with  eomplete 
deployment  scheduled  for  September  2001.  The  Civilian  Personnel 
Management  Serviee  (CPMS)  was  the  functional  proponent  for  the  DCPDS 
Program  and  IT  system  aequisition  program  management  was  performed  by  the 
Central  Design  Aetivity  at  the  Air  Foree  Persoimel  Center.  Upon  Milestone  III 
approval,  the  Central  Design  Activity  ceased  to  provide  acquisition  program 
management  services,  and  CPMS  assumed  overall  program  acquisition  and 
management  responsibilities.  Appendix  B  provides  a  detailed  description  of  the 
DCPDS  Program. 

Objectives 


The  audit  objective  was  to  determine  whether  DoD  oversight  proeesses  and 
proeedures  provided  the  Chief  Information  Offieer,  DoD,  with  a  suffieient  basis 
to  eertify  that  the  Defense  Civilian  Personnel  Data  System  was  being  managed 
in  aeeordanee  with  the  Clinger-Cohen  Act.  This  report  is  the  first  of  a  series. 

In  subsequent  reports,  we  will  evaluate  the  basis  for  eertifieation  of  other 
systems,  assess  DoD  progress  in  implementing  the  Clinger-Cohen  Aet,  and 
review  related  management  eontrols.  A  description  of  the  audit  scope  and 
methodology  and  prior  coverage  related  to  the  DCPDS  Program  is  shown  in 
Appendix  A. 
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Certification  of  the  Defense  Civilian 
Personnel  Data  System  As  Compliant 
with  the  Clinger-Cohen  Act 

The  CIO  did  not  have  a  sufficient  basis  to  certify,  without  qualification, 
that  DCPDS  had  been  developed  in  accordance  with  the  Clinger-Cohen 
Act.  The  CIO  lacked  sufficient  basis  because: 

•  previously  identified  CCA  compliance  issues  had  not  been 
fully  resolved,  and  relevant  data  were  not  adequately 
analyzed; 

•  key  acquisition  documents  either  were  not  prepared  or  were 
not  prepared  and  appropriately  approved  in  a  timely  manner, 
and  were  not  regularly  updated; 

•  milestone  exit  criteria  were  not  well  defined  or  sufficiently 
tracked  and  enforced; 

•  CIO  management  controls  for  overseeing  the  DCPDS 
development  did  not  provide  active  oversight  participation  and 
involvement  by  senior  DoD  advisors  at  key  decision  points  or 
adequate  and  ongoing  direction  and  guidance  to  the  DCPDS 
Program;  and 

•  the  CIO  did  not  establish  specific  criteria  for  or  define  a 
common  approach  to  evaluating  the  basis  for  CCA 
certification. 

As  a  result,  in  the  case  of  the  DCPDS  Program,  the  certification 
requirement  was  not  an  effective  means  of  ensuring  compliance  with  the 
CCA. 

DCPDS  Certification  Process 


CPMS  officials  had  to  use  draft  procedures  to  prepare  the  DCPDS  Compliance 
Report  because  the  CIO  did  not  complete  a  standard  section  8121(b)  certification 
process  until  after  he  had  certified  the  DCPDS  Program  as  CCA  compliant. 

The  DCPDS  was  certified  to  Congress  on  May  10,  2000;  however,  the  CIO  did 
not  complete  the  standard  section  8121(b)  certification  process  until  July  13, 
2000.  Although  the  use  of  draft  procedures  during  the  DCPDS  certification 
process  did  not  materially  affect  the  validity  of  the  certification,  official 
guidance  establishes  management’s  position,  intent,  and  applicability  of  the 
policy.  Both  the  draft  and  final  versions  of  section  8121(b)  certification 
procedures  required  DoD  Component  heads  to  prepare  a  compliance  report 
prior  to  each  milestone  approval. 
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The  Office  of  the  Director,  CPMS,  prepared  the  compliance  report  for  the 
DCPDS  Program,  which  summarized  the  requirements  of  section  8121(b), 
provided  background  information  on  the  DCPDS  Program,  and  outlined  the 
actions  taken  by  CPMS  on  the  five  section  8121(b)  interest  items:  business 
process  reengineering,  analysis  of  alternatives,  economic  analysis,  performance 
measures,  and  an  information  assurance  strategy.  A  review  team  represented  by 
various  staff  offices  within  the  Office  of  the  Secretary  of  Defense  then  prepared 
the  congressional  certification  report  for  the  signature  of  the  CIO.  The 
compliance  report  and  the  certification  report  essentially  contained  the  same 
information.  On  March  17,  2000,  the  review  team  briefed  the  Deputy  CIO  on 
the  draft  DCPDS  certification  report.  The  briefing  included  confirmation  of 
steps  taken  to  address  each  of  the  five  specific  congressional  interest  items. 
During  its  briefing  to  the  Deputy  CIO,  the  review  team  presented  a  qualified 
confirmation  of  steps  taken  regarding  business  process  reengineering,  analysis 
of  alternatives,  and  performance  measures  because  the  General  Accounting 
Office  (GAO)  previously  identified  problems  in  those  areas. 

Because  CPMS  initiated  actions  to  address  GAO  concerns,  the  review  team 
recommended  that  the  CIO  certify  DCPDS  as  CCA  compliant.  The  Deputy  CIO 
tentatively  approved  certification  during  the  briefing,  thus  authorizing  the 
preparation  of  the  official  certification  report  and  congressional  notification 
letters  for  the  CIO  to  sign  for  Congress.  The  certification  report  and 
notification  letters  were  coordinated  with  and  endorsed  by  the  Office  of  the 
Under  Secretary  of  Defense  (Comptroller);  the  Office  of  the  Director,  Program 
Analysis  and  Evaluation;  the  Office  of  the  Assistant  Secretary  of  Defense  for 
Legislative  Affairs;  the  Office  of  the  Deputy  Under  Secretary  of  Defense  for 
Program  Integration;  the  Office  of  General  Counsel;  the  Office  of  the  Deputy 
Assistant  Secretary  of  Defense  for  Civilian  Personnel  Policy;  and  the  Office  of 
the  Assistant  Secretary  of  the  Air  Force  for  Acquisition. 

Resolution  of  Previously  Identified  CCA  Compliance  Issues 


In  its  report  GAO/AIMD-99-20,  “Defense  IRM;  Alternatives  Should  Be 
Considered  in  Developing  the  New  Civilian  Personnel  System,”  January  1999, 
the  GAO  identified  DCPDS  development  problems  related  to  each  of  the  five 
interest  items  listed  in  section  8121(b).  The  GAO  concluded  that  the  DCPDS 
development  provided  DoD  with  little  assurance  that  its  investment  was  optimal 
because  of  weaknesses  identified  in  business  process  reengineering,  analysis  of 
alternatives  and  economic  analyses,  and  performance  measures.  Additionally, 
DCPDS  security  risks  had  not  been  adequately  addressed.  GAO 
recommendations  included  a  reevaluation  of  alternatives,  with  the  costs  and 
benefits  of  each  alternative  determined  through  economic  analyses,  and  the 
standardization  of  performance  measurements.  GAO  also  recommended  actions 
to  adequately  secure  and  protect  DCPDS  sensitive  data. 

In  effect,  the  results  of  the  GAO  review  should  have  informed  DoD  that  DCPDS 
development  had  not  been  in  accordance  with  the  CCA.  Because  the  report  to 
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Congress  did  not  mention  the  results  of  the  GAO  review,  we  included  steps  in 
our  audit  to  validate  GAO  conclusions  and  to  evaluate  DoD  actions  to 
implement  related  recommendations. 

DoD  Investment  in  DCPDS.  To  determine  whether  the  CIO  had  a  firm  basis 
for  certifying  that  DCPDS  was  developed  in  accordance  with  the  IT  system 
investment  principles  of  CCA,  we  evaluated  the  actions  taken  on  related 
section  8121(h)  interest  items:  business  process  reengineering,  analysis  of 
alternatives,  economic  analysis,  and  performance  measures. 

Business  Process  Reengineering.  DoD  efforts  to  reengineer  personnel 
management  processes  prior  to  DCPDS  investment  met  the  general  intent  of 
CCA.  Business  process  reengineering  is  a  systematic  and  disciplined 
improvement  approach  that  critically  examines,  rethinks,  and  redesigns 
mission-delivery  processes  to  improve  performance  in  areas  that  are  important 
to  customers  and  stakeholders.  The  redesign  of  business  processes  has  to  occur 
prior  to  system  development  to  maximize  the  value  of  IT  system  investment. 

Business  process  reengineering  is  normally  accomplished  through  three  basic 
steps.  First,  an  “as-is”  model  is  produced,  which  provides  detailed  descriptions 
of  existing  fimctional  processes.  Capitalizing  on  current  IT  technology  and 
capabilities,  a  “to-be”  functional  process  is  then  designed,  which  details  the 
reengineered  processes.  Once  the  redesigned  business  processes  are 
determined,  an  IT  system  can  be  designed  and  developed  to  best  implement  the 
reengineered  business  processes. 

To  re-engineer  civilian  persoimel  business  processes,  DoD  initiated  the 
modernization  of  the  DCPDS  to  support  regionalization  of  civilian  persoimel 
operations,  which  included  workforce  reduction.  DoD  began  regionalization 
efforts  in  1989  and  completed  those  efforts  by  June  1999.  To  enable  DoD 
regionalization  efforts,  DoD  developed  the  modern  DCPDS,  with  plans  to 
complete  the  modernization  effort  by  December  1998.  However,  DCPDS 
deployment  to  various  test  sites  did  not  begin  until  October  1999  with  an 
estimated  completion  date  of  September  2001,  almost  2  years  after 
regionalization  was  completed.  Consequently,  DoD’s  reengineering  of  civilian 
personnel  management  business  processes  did  not  yield  all  the  expected  benefits 
at  that  time  because  the  enabling  IT  system,  DCPDS,  had  not  met  original 
timeframes. 

DoD  completed  the  redesign  of  persoimel  business  processes  before  the 
completion  of  the  enabling  IT  system  development.  However,  a  fully  effective 
reengineered  business  process  required  timely  implementation  and  integration  of 
the  IT  system  with  the  modified  processes. 

Analysis  of  Alternatives  and  Economic  Analysis.  CPMS  officials 
could  not  demonstrate  that  they  selected  the  DCPDS  Program  IT  system  through 
a  process  of  rigorous  analysis  of  alternatives  and  economic  analysis.  An 
analysis  of  alternatives  and  an  economic  analysis  are  directly  related.  Effective 
use  of  an  analysis  of  alternatives,  in  conjunction  with  an  economic  analysis, 
provides  a  viable  basis  for  evaluating  potential  solutions  and  selecting  the  most 
cost-beneficial  alternative.  The  analysis  of  alternatives  generally  starts  with  a 
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broad  base  of  possible  solutions  to  meet  a  mission  need.  Once  the  field  of 
possible  solutions  is  narrowed  to  a  few  realistic  alternatives,  then  the  principles 
of  economic  analysis  and  its  tools  of  cost-benefit  analysis  and  remrn-on- 
investment  are  applied  to  identify  the  most  promising  solution. 

DCPDS  managers  did  not  meet  the  requirements  of  DoD  Instruction  7041.3, 
“Economic  Analysis  for  Decision  Making.”  DoD  Instruction  7041.3  states  that 
each  feasible  alternative  for  meeting  an  objective  must  be  considered  and  its  life- 
cycle  costs  and  benefits  evaluated.  The  Instruction  also  states  that  alternatives 
dismissed  as  infeasible  must  be  discussed,  but  need  not  be  formally  compared, 
in  the  economic  analysis.  Additionally,  the  Instruction  requires  that  the 
economic  analysis  provide  a  detailed  cost/benefit  analysis  for  all  alternatives 
deemed  feasible  through  the  analysis  of  alternatives  process.  The  emphasis  on 
documentation  is  appropriate  because  all  significant  DoD  investments  undergo 
some  form  of  management  review.  Oversight  cannot  be  effective  without  a 
clear  understanding  of  why  a  proposed  investment  is  the  best  available 
alternative. 

In  1995,  CPMS  officials  decided  to  base  the  acquisition  of  the  DCPDS  Program 
upon  commercially  available  software  and  selected  an  Oracle  product. 

However,  there  was  little  evidence  to  demonstrate  that  their  selection  process 
employed  a  rigorous  analysis  of  alternatives  or  economic  analyses  detailing  the 
expected  costs,  benefits,  and  remrns  on  investments.  CPMS  officials  evaluated 
three  commercial  products  to  determine  how  well  each  product  would  meet  DoD 
personnel  management  needs  and  the  initial  costs  for  each  product.  The 
selection  process  did  not  clearly  demonstrate  that  the  Oracle  product  represented 
the  best  DCPDS  investment  alternative. 

In  its  January  1999  report,  GAO  recommended  that  DoD  analyze  all 
commercially  available  alternatives  and  the  related  costs  and  benefits  of  each. 
DCPDS  Program  officials  agreed,  but  did  not  commit  to  reevaluating  the  Oracle 
selection.  CPMS  officials  told  us  that  Oracle  was  the  only  software  that  could 
perform  DCPDS  requirements  and  that  further  economic  analysis  made  no 
sense,  given  the  level  of  investment  in  DCPDS  at  the  time  of  the  GAO  report. 
Additionally,  DCPDS  development  was  almost  complete  and  further  analysis 
would  have  unnecessarily  delayed  implementation  of  DCPDS.  In  July  1999, 
GAO  representatives  agreed  with  CPMS  officials  that  it  was  too  late  in  the 
development  process  to  reconsider  Oracle  and  that  the  CPMS  should  mm  its 
focus  to  the  fumre. 

Because  the  CIO  provided  DCPDS  with  a  conditional  Milestone  III  approval  on 
May  19,  2000,  we  agree  that  further  analysis  of  alternatives  and  economic 
analyses  would  provide  little  benefit  at  such  a  late  stage  of  development. 
However,  CPMS  officials  should  perform  a  well  documented  analysis  of 
alternatives  and  an  economic  analysis  for  any  significant  fumre  product 
improvements  or  upgrades. 

Performance  Measures.  The  “DoD  Guide  for  Managing  Information 
Technology  (IT)  as  an  Investment  and  Measuring  Performance,”  Febmary  10, 
1997,  defined  IT  performance  measurement  as: 
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The  assessment  of  effectiveness  and  efficiency  of  IT  in  support  of  the 
achievement  of  an  organization’s  missions,  goals,  and  quantitative 
objectives  through  the  application  of  outcome-based  measurable,  and 
quantifiable  criteria,  compared  against  an  established  baseline,  to 
activities,  operations,  and  processes. 

Evaluation  of  a  program’s  effectiveness  and  efficiency  begins  with  the 
establishment  of  a  performance  measurement  baseline.  Performance 
measures  are  developed  based  on  expected  outcomes,  assessed  against 
the  baseline,  and  continually  monitored  to  determine  whether  they  are 
being  achieved.  Individual  measures  are  defined  and  then  quantified 
with  targets  and  thresholds  to  form  the  performance  measurement 
baseline. 

In  its  January  1999  report,  GAO  emphasized  that  common  definitions  for 
performance  measures  were  needed  to  uniformly  and  consistently  measure 
mission  performance  gains  of  all  DoD  Components.  As  of  October  2000, 

CPMS  officials  had  not  obtained  agreement  between  the  Military  Departments 
on  definitions  for  common  performance  measures.  Further,  because  the 
performance  baselines  established  by  the  Military  Departments  were  premised 
on  their  unique  definitions,  DoD  did  not  have  a  common  base  from  which  to 
measure  DCPDS  performance  gains.  Because  CPMS  officials  did  not  insist  that 
each  DoD  Component  establish  performance  measures  based  on  common 
definitions,  DoD  was  not  able  to  meaningfully  assess  the  impact  of  DCPDS  on 
its  DoD-wide  civilian  personnel  management  mission.  Additionally,  without 
standard  performance  measures  and  related  baselines,  DoD  was  not  able  to 
uniformly  assess  and  quantify  performance  gains  attributable  to  DCPDS  by  all 
Components. 

The  CIO  description  provided  to  Congress  of  steps  relating  to  DCPDS 
performance  measures  was  not  complete;  however,  DoD  could  still  establish  and 
implement  uniform  DCPDS  performance  measures.  Specifically,  the  CIO,  in 
coordination  with  CPMS,  should  make  sure  that  uniform  DCPDS  performance 
measures  are  implemented  by  all  DoD  Components.  Such  action  would  provide 
the  CIO  with  a  basis  to  comply  with  the  specific  CCA  requirement  to  measure 
how  well  DCPDS  supported  the  users.  Uniform  performance  measures  would 
also  better  enable  the  CIO  to  meet  the  CCA  requirement  to  annually  report  DoD 
progress  in  achieving  DCPDS  goals  to  Congress. 

Information  Assurance.  CPMS  officials  took  substantial  action  to  improve  the 
DCPDS  information  assurance  posture  in  response  to  prior  reports  and  reviews; 
however,  we  identified  further  opportunities  for  CPMS  to  improve  the 
information  assurance  posture  of  DCPDS  assets.  Information  assurance,  often 
referred  to  as  information  security,  is  the  process  used  to  protect  and  defend 
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information  and  information  systems  by  ensuring  their  confidentiality,  integrity, 
availability,  and  non-repudiation^. 

Action  Taken  on  Prior  Audits  and  Reviews.  Office  of  Inspector 
General,  DoD,  Report  No.  98-082,  “Information  Assurance  of  the  Defense 
Civilian  Personnel  Data  System,”  February  23,  1998,  identified  high  DCPDS 
risks  concerning  unauthorized  system  access,  inappropriate  alteration  and 
destruction  of  personnel  data,  and  denial  of  service  to  users.  Recommendations 
included  the  implementation  of  information  assurance  measures  and  procedures 
to  protect  civilian  personnel  data.  In  its  January  1999  report,  GAO  identified 
DCPDS  information  assurance  weaknesses  regarding  physical  security  of  related 
hardware  and  personnel  data  and  the  use  of  non-secure  data  networks,  including 
the  Internet.  GAO  recommended  an  assessment  of  DCPDS  security  risks  and 
needs,  encryption  to  protect  DCPDS  sensitive  personnel  data,  and  security 
awareness  at  all  DCPDS  sites. 

CPMS  officials  initiated  and  implemented  aggressive  actions  to  improve  the 
information  assurance  of  DCPDS  and  to  satisfy  related  Inspector  General  and 
GAO  recommendations.  Those  actions  included  the  encryption  of  data 
exchanged  between  the  regional  centers  and  associated  customer  support  units, 
the  performance  of  DCPDS  risk  assessments  and  DCPDS  security  test  and 
evaluations,  the  designation  of  information  system  security  officers  at  each 
DCPDS  site,  and  the  formal  accreditation  of  DCPDS  as  being  appropriately 
secured. 

Assessment  of  DCPDS  Information  Assurance.  Overall,  DoD 
adequately  and  fairly  described  the  DCPDS  information  assurance  posture  in  the 
congressional  notification.  We  commend  CPMS  actions  that  greatly 
strengthened  the  information  assurance  of  DCPDS;  however,  we  identified 
additional  areas  of  concern  and  oppormnities  for  CPMS  management  to  further 
strengthen  DCPDS  information  assurance. 

CPMS  lacked  a  documented  risk  assessment  for  unencrypted  data  exchanged 
among  the  centralized  corporate  database,  the  Regional  Service  Centers,  and 
other  non-DCPDS  external  systems.  As  of  November  2000,  data  encryption 
between  some  of  these  links  did  not  exist.  Accordingly,  the  Director,  CPMS, 
should  perform  a  risk  assessment  of  the  unencrypted  interfaces  to  determine 
whether  the  transmittal  of  passwords,  user  identifications,  and  DCPDS  data  over 
the  unsecured  Internet  could  be  better  protected  and  should  implement,  if 
deemed  appropriate,  enhanced  security  controls. 

We  also  identified  a  need  for  enhancements  to  DCPDS  end  user  security  policy 
and  guidance.  First,  CPMS  placed  the  responsibility  for  establishing  strong 
passwords  on  the  user.  Secondly,  DCPDS  did  not  automatically  disconnect 
users  after  a  predetermined  period  of  inactivity.  Lastly,  DCPDS  did  not 
consistently  mark  output  products  that  contained  sensitive  data.  Accordingly, 
DCPDS  managers  should  develop  procedures  to  guide  and  instruct  DCPDS 


^  Non-repudiation  refers  to  the  positive  identifieation  of  who  aeeessed  a  system  and  what  transactions 
were  performed. 
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users  in  establishing  and  maintaining  effective  passwords,  the  use  of  keyboard 
locking  mechanisms,  and  ensuring  all  sensitive  documents  are  appropriately 
marked.  To  be  of  maximum  benefit,  DCPDS  users  must  be  made  aware  of  the 
need  for  diligent  security  procedures  and  associated  security  guidance  should  be 
quickly  and  easily  accessible  by  DCPDS  users. 

Key  Documentation  for  Milestone  Reviews 


The  House  Appropriations  Committee’s  Report  on  the  DoD  Appropriations  Bill 
for  FY  2000  provided  insight  on  the  congressional  concerns  that  resulted  in 
section  8121(b)  certification  requirements.  The  Committee  was  disappointed 
with  DoD  oversight  of  its  information  technology  systems,  including  acquisition 
milestone  reviews.  Specifically,  the  report  stated,  “Those  systems  that  are 
reviewed  are  often  approved  despite  lacking  key  documentation.  ”  The 
Milestone  Decision  Authority  did  not  ensure  that  key  documentation  for  DCPDS 
was  prepared  and  appropriately  coordinated  and  approved  for  consideration 
during  milestone  decisions. 

DoD  Acquisition  Documentation  Requirements.  DoD  Regulation  5000. 2-R, 
“Mandatory  Procedures  for  Major  Defense  Acquisition  Programs  (MDAPs)  and 
Major  Automated  Information  System  (MAISs)  Acquisition  Programs,” 

March  15,  1996,^  allows  the  MDA  to  tailor  the  documentation  requirements  for 
each  acquisition  program.  Specifically,  the  Regulation  states  that: 

Any  singular  MDAP  or  MAIS  need  not  follow  the  entire  process 
described  below.  However,  cognizant  of  this  model,  the  Program 
Manager  (PM)  and  the  Milestone  Decision  Authority  (MDA)  shall 
structure  the  MDAP  or  MAIS  to  ensure  a  logical  progression  through 
a  series  of  phases  designed  to  reduce  risk,  ensure  affordability,  and 
provide  adequate  information  for  decision-making  that  will  provide  the 
needed  capability  to  the  warfighter  in  the  shortest  practical  time. 

Although  the  MDA  may  tailor  the  documentation  required,  the  MDA  tentatively 
approved  DCPDS  milestones  without  ensuring  that  documentation  key  to 
making  sound  milestone  decisions  had  been  prepared  or  had  not  been 
appropriately  coordinated  and  approved.  Further,  actual  milestone  decisions 
were  not  clearly  delineated  or  adequately  documented. 

Milestones  I  and  II  Documentation.  On  May  20,  1996,  the  MDA  provided  a 
provisional  Milestone  I  approval  and  implied  a  Milestone  II  approval.  The 
MDA  approved  Milestone  I  pending  the  receipt,  within  60  days,  of  an  approved 
Operational  Requirements  Document,  Acquisition  Program  Baseline,  and  Test 
and  Evaluation  Master  Plan.  The  documents  required  by  the  MDA,  which 
provide  critical  insight  to  key  aspects  of  program  strategy  and  direction,  were 
not  submitted  for  several  months.  One  reason  for  delay  was  that  DCPDS 


^  Reissued  as  Interim  Regulation,  DoD  5000. 2-R,  “Mandatory  Proeedures  for  Major  Defense  Acquisition 
Programs  (MDAPs)  and  Major  Automated  Information  Systems  (MAIS)  Acquisition  Programs,” 
January  1,  2001 
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managers  did  not  fully  recognize  the  time  needed  to  extensively  coordinate  key 
documents  and  to  obtain  the  requisite  approvals  from  other  than  functional 
officials.  For  example,  ultimate  approval  of  the  DCPDS  Master  Test  and 
Evaluation  Plan  had  to  be  obtained  from  DoD  developmental  and  operational 
testing  organizations.  The  MDA  indicated  a  Milestone  II  approval  by 
authorizing  the  DCPDS  Program  to  continue  the  design  analysis  and 
development  of  application  software,  activities  normally  undertaken  in  Phase  II 
of  an  acquisition.  However,  the  required  documentation  was  not  provided 
during  the  specified  timeframe.  Therefore,  it  is  unclear  whether  the  original 
milestone  decision  was  nullified.  No  final  Milestone  I  or  II  decision  by  the 
MDA  was  documented. 

Milestone  III  Documentation.  On  May  19,  2000,  the  MDA  provided  a 
conditional  Milestone  III  approval  for  the  DCPDS  Program  although  several  key 
documents  had  not  been  developed.  For  example,  after  4  years,  CPMS  still  had 
not  prepared  a  formal  Analysis  of  Alternatives  or  standard  DoD  performance 
measures  for  DCPDS,  even  though  GAO  had  previously  identified  weaknesses 
in  those  areas.  Additionally,  the  MDA  did  not  ensure  that  DCPDS  Program 
officials  developed  a  DCPDS  implementation  risk  analysis  and  mediation  plan 
even  though  DCPDS  implementation  was  contracted  to  an  outside  source. 
Further,  although  DCPDS  did  not  meet  all  Operational  Requirements  Document 
requirements  and  key  performance  parameters  during  the  Qualification 
Operational  Test  and  Evaluation,  DCPDS  managers  did  not  document  an 
approach  for  resolving  the  testing  issues  for  MDA  consideration  during  the 
milestone  review. 

Milestone  Exit  Criteria 


DoD  Regulation  5000. 2-R  states  that  the  Program  Manager  shall  propose  and 
the  MDA  shall  approve  exit  criteria  appropriate  to  the  next  acquisition  phase  at 
each  milestone  review.  Exit  criteria  should  demonstrate  a  level  of  performance 
outcome,  accomplishment  of  a  process  at  a  particular  level  of  efficiency, 
accomplishment  of  an  event,  or  some  other  indication  that  the  program  is 
progressing  satisfactorily.  The  Regulation  also  requires  the  acquisition  decision 
memorandum  (ADM)  to  document  exit  criteria  requirements. 

The  ADM  issued  by  the  MDA  for  the  May  1996  and  May  2000  milestone 
decision  approvals  did  not  contain  sufficient  exit  criteria  to  guide  the  DCPDS 
Program  through  the  next  acquisition  phase.  Rather  than  provide  requirements 
for  the  next  acquisition  phase,  the  ADM  required  specific  steps  for  program 
officials  to  perform  that  should  have  been  completed  during  the  previous 
acquisition  phase.  Additionally,  the  MDA  did  not  ensure  sufficient  followup  to 
enforce  the  provisions  set  forth  in  the  ADM. 

Milestone  I  Exit  Criteria.  The  May  20,  1996,  ADM  provided  Milestone  I 
approval  pending  the  submission  by  July  1996  of  an  approved  Operational 
Requirements  Document,  an  Acquisition  Program  Baseline,  and  a  Test  and 
Evaluation  Master  Plan.  DCPDS  Program  officials  should  have  submitted  fully 
coordinated  and  approved  key  documents  for  consideration  before  the 
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Milestone  I  decision,  but  did  not  submit  them  to  the  CIO  in  final  form  until  4, 
21,  and  31  months,  respectively,  after  the  Milestone  I  decision.  The  CIO  also 
did  not  ensure  that  the  documents  were  prepared,  approved,  and  submitted  in  a 
timely  manner  as  required  by  the  ADM.  Appendix  C  provides  a  timeline  of 
DCPDS  program  events  including  approval  dates  for  milestone  decisions  and 
program  documentation. 

The  ADM  also  stated  specific  requirements  that  DCPDS  Program  officials 
needed  to  meet  before  exiting  Phase  II,  such  as  the  development  of  a  risk 
management  plan.  DCPDS  Program  officials  developed  and  approved  a  risk- 
management  plan  in  February  1997,  but  did  not  update  it  until  DCPDS  Program 
officials  prepared  a  draft  pre-Milestone  III  Technical  Risk  Management  Plan  in 
January  2000.  However,  the  Director,  CPMS,  did  not  approve  the  draft  plan. 

Milestone  III  Exit  Criteria.  The  May  19,  2000,  ADM  authorized  the  DCPDS 
Program  to  proceed  to  the  deployment  phase  subject  to  completing  several 
actions  before  fielding.  The  ADM  required  the  Director,  CPMS,  to  provide 
within  30  days,  a  Memorandum  of  Understanding  of  the  mission-essential 
functions  necessary  to  field  the  system,  an  approved  deployment  schedule,  and 
an  acquisition  program  structure.  The  ADM  also  required  the  Director,  CPMS, 
to  fully  develop  the  mission-essential  functions  and  the  Air  Force  Operational 
Test  and  Evaluation  Center  to  perform  the  appropriate  operational  testing  before 
deployment.  The  Director,  CPMS,  provided  the  three  documents  to  the  CIO 
within  30  days,  but  the  CIO  did  not  question  the  adequacy  of  the  CPMS 
documentation  and  did  not  ensure  that  the  deficiencies  identified  during  testing 
were  addressed. 

Mission-Essential  Functions.  The  Qualification  Operational  Test  and 
Evaluation  Test  Report  prepared  by  the  Air  Eorce  Operational  Test  and 
Evaluation  Center  concluded  that  DCPDS  was  effective  and  suitable  and 
recommended  a  Milestone  III  approval.  However,  DCPDS  did  not  meet  all  of 
the  Key  Performance  Parameter  requirements  of  the  Operational  Requirements 
Document.  The  Test  Report  recommended  that  the  capabilities  dealing  with 
mass  actions  be  operational  before  the  DCPDS  was  fielded.  However,  the 
May  19,  2000,  ADM  did  not  specifically  request  that  CPMS  officials  address 
the  Test  Report  recommendations.  Rather  than  determining  whether  those 
requirements  should  be  waived,  the  Memorandum  of  Understanding  provided  by 
the  Director,  CPMS,  and  the  functional  Components  focused  on  pre-planned 
upgrades.  As  a  result,  the  Air  force  Operational  Test  and  Evaluation  Center 
Test  Report  recommendation  on  mass  actions  was  not  specifically  addressed  and 
it  remained  unclear  whether  the  requirement  would  be  resolved  before  the 
DCPDS  was  fielded. 

Deployment  Schedule.  The  CPMS  provided  a  deployment  schedule  on 
June  19,  2000,  which  showed  that  fielding  was  to  begin  on  August  4,  2000. 

The  schedule  was  unrealistic  because  additional  testing  had  not  been  scheduled. 
The  CPMS  began  limited  deployment  to  expand  the  modem  DCPDS  test  base 
on  October  13,  2000.  As  of  May  2001,  CPMS  had  deployed  five  full-scale  core 
systems  and  expanded  field-testing  at  six  test  sites.  CPMS  plans  to  complete 
DCPDS  deployment  by  September  2001. 
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CPMS  Acquisition  Program  Structure.  In  September  1999,  the  CIO 
authorized  the  transition  of  DCPDS  implementation,  sustainment,  operations 
and  maintenanee  from  the  program  management  organization  to  a  eommercial 
vendor.  In  May  2000,  the  transition  occurred  and  the  DCPDS  program  office 
was  dissolved.  With  the  transition  and  subsequent  loss  of  acquisition  program 
oversight,  CPMS  officials  were  required  to  develop  an  acquisition  program 
strategy  for  assuming  overall  DCPDS  program  management  responsibilities.  In 
October  1999,  CPMS  officials  established  a  separate  Vendor  Management 
Office  to  provide  management  oversight  and  support  to  DCPDS  procurement, 
contract,  and  certification  activities. 

Because  the  assumption  of  acquisition  program  management  responsibilities  by 
the  functional  proponent  was  highly  unusual,  we  reviewed  the  qualifications  of 
the  Vendor  Management  Office  staff  to  determine  whether  staff  qualifications 
were  appropriate  for  the  task.  Although  staff  qualifications  appeared  adequate, 
the  CIO  should  continue  to  periodically  oversee  the  CPMS  throughout  the 
fielding  and  operational  support  of  DCPDS. 

Effectiveness  of  CIO  Oversight 


We  examined  the  structure  and  procedures  for  CIO  acquisition  oversight  of  the 
DCPDS  Program.  We  also  evaluated  the  data  relied  upon  by  the  CIO  in  making 
oversight  decisions.  The  DCPDS  oversight  controls  were  not  fully  effective 
because  the  senior  advisory  team  to  the  CIO  was  not  fully  involved.  We  also 
identified  control  weaknesses  associated  with  the  ongoing  oversight  process  of 
the  DCPDS  Program. 

Information  Technology  Overarching  Integrated  Product  Team.  The 

Information  Technology  Overarching  Integrated  Product  Team  (Overarching 
IPT)  was  minimally  involved  in  the  oversight  of  the  DCPDS  Program.  The 
primary  role  of  the  Overarching  IPT  was  to  provide  advice  to  the  CIO  during 
milestone  reviews.  The  Overarching  IPT,  known  as  the  Major  Automated 
Information  Systems  Review  Council  until  July  1998,  was  composed  of  senior 
managers  representing  the  primary  staff  assistants  with  an  interest  in  the  subject 
system.  For  DCPDS,  the  Overarching  IPT  included  senior  managers  from  the 
offices  of  the  Under  Secretary  of  Defense  (Acquisition,  Technology,  and 
Logistics);  the  Under  Secretary  of  Defense  (Comptroller);  the  Director, 
Operational  Test  and  Evaluation;  the  Director,  Program  Analysis  and  Evaluation; 
and  user  representatives.  Although  the  Overarching  IPT  reviewed  and  concurred 
with  draft  acquisition  decision  memoranda  before  formal  DCPDS  milestone 
decisions,  it  did  not  meet  during  milestone  reviews  to  discuss  the  progress  and 
stams  of  the  DCPDS  Program  and  did  not  help  identify  potential  programmatic 
problems.  Instead,  the  Overarching  IPT  relied  on  a  lower-level.  Acquisition 
Oversight  IPT  to  provide  critical  DCPDS  oversight  review  and  direction. 

Acquisition  Oversight  IPT.  The  Acquisition  Oversight  IPT  continuously 
monitored  DCPDS,  but  did  not  provide  effective  oversight  to  ensure  that 
DCPDS  complied  with  DoD  acquisition  requirements  or  milestone  decision 
authority  direction.  Prom  July  1997  through  June  2000,  the  Acquisition 
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Oversight  IPT  met  18  times  and  monitored  aspects  of  DCPDS  such  as  program 
and  life-cycle  costs,  information  assurance,  testing.  Year  2000  planning, 
training,  and  outsourcing.  The  Acquisition  Oversight  IPT  also  provided 
program  progress  updates,  established  and  tracked  action  items,  and  tracked 
audits  and  reviews.  However,  the  Acquisition  Oversight  IPT  did  not  effectively 
question  the  adequacy  of  program  documentation  or  the  actions  of  program 
officials.  For  example,  the  Acquisition  Oversight  IPT  did  not  ensure  that 
DCPDS  Program  officials  prepared  key  documentation  in  accordance  with  DoD 
acquisition  policies  prior  to  milestone  decision  reviews  and  did  not  ensure  that 
the  provisions  contained  in  related  acquisition  decision  memoranda  were  met  in 
a  timely  and  efficient  manner.  Additionally,  while  the  Acquisition  Oversight 
IPT  tracked  the  status  of  DCPDS  audits  and  reviews,  it  did  not  ensure  that 
DCPDS  Program  officials  took  corrective  actions  to  address  deficiencies 
identified  by  the  Inspector  General,  DoD,  and  GAO. 

CIO  Verification  of  Information.  Overall,  the  CIO  could  improve  oversight 
responsibilities  through  the  periodic  verification  of  information  provided.  CIO 
staff  members  informed  us  that  oversight  verification  was  seldom  performed. 
Therefore,  we  concluded  that  prudent  verification  efforts  could  substantially 
improve  the  effectiveness  of  oversight  responsibilities.  For  example,  during  the 
DCPDS  certification  briefing  to  the  Deputy  CIO,  the  review  team  provided 
qualified  confirmations  relating  to  steps  taken  on  the  congressional  interest 
items.  Nevertheless,  the  Deputy  CIO  provided  Congress  with  an  unqualified 
certification. 

DoD  Criteria  and  Approach  for  Determining  Compliance 


The  CIO  certified  that  the  DCPDS  Program  was  being  developed  in  accordance 
with  the  CCA,  but  the  basis  for  the  certification  was  unclear  because  the  CIO 
had  not  established  common  criteria  or  a  uniform  approach  to  determine  the 
adequacy  of  compliance.  Further,  the  CIO  did  not  describe  the  basis  used  for 
certification  in  the  congressional  notification. 

Bases  Cited  for  DCPDS  Certification.  Because  neither  the  compliance  report 
nor  the  certification  report  specified  a  basis  for  certification,  we  asked  staff 
members  in  the  Office  of  the  Secretary  of  Defense,  who  primarily  developed  the 
section  8121(b)  certification  process,  to  clarify  the  basis  for  system  certification. 
Their  answers  indicated  confosion  as  to  the  basis  for  certification.  One  CIO 
staff  member  stated  that  the  basis  for  certification  was  premised  on  the  CIO 
oversight  process  for  major  automated  information  systems;  however,  a  member 
of  Program  Analysis  and  Evaluation  staff  stated  that  certification  was  based  on 
an  assessment  of  the  steps  taken  relating  to  the  five  items  of  interest  specified  in 
section  8121(b).  We  evaluated  both  processes  and  determined  that  they  both 
included  notable  weaknesses  and  did  not  provide  a  suitable  basis  for  certifying 
to  Congress  that  the  DCPDS  Program  was  managed  and  developed  in 
accordance  with  the  CCA. 

DoD  Guidance  for  Certification.  On  July  13,  2000,  the  CIO  issued  a 
memorandum,  “Department  of  Defense  (DoD)  Information  Technology  (IT) 
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Systems  Certification  Requirements,”  on  the  certification  process  for  major 
automated  information  systems.  Overall,  the  procedures  were  similar  to  the 
DCPDS  draft  procedures.  Specifically,  the  guidance  requires  that  Component 
heads  prepare  a  compliance  report,  confirm  that  steps  were  taken  to  address  the 
congressional  interest  items,  and  provide  descriptions  of  the  steps  taken. 

Further,  the  July  13,  2000,  memorandum  requires  the  Component  head  to 
concur  that  the  subject  system  was  developed  in  accordance  with  the  CCA.  The 
memorandum  also  included  a  sample  template  for  compliance  reporting.  The 
template  indicated  that  compliance  could  be  determined  by  assessing  the  steps 
taken  for  the  five  specific  interest  items;  however,  it  did  not  provide  criteria  for 
assessing  CCA  compliance  and  did  not  state  any  specific  approach  for 
determining  the  adequacy  of  compliance.  Although  section  8121(b)  was 
applicable  only  during  FY  2000,  Congress  included  section  8121(b)  certification 
requirements  in  section  811(c)  of  the  Defense  Authorizations  Act  of  FY  2001. 
Accordingly,  the  CIO  needs  to  develop  specific  criteria  or  specify  a  common 
approach  for  all  DoD  Components  to  achieve  uniform  and  consistent  compliance 
assessments. 

Conclusion 


The  CIO  certified  in  May  2000  that  DCPDS  was  being  developed  in  accordance 
with  the  CCA.  However,  the  January  1999  GAO  report  clearly  indicated  that 
DCPDS  development  was  not  compliant  with  the  CCA.  The  CIO  did  not  ensure 
that  CPMS  officials  corrected  the  deficiencies  reported  by  GAO  and  did  not 
verify  that  the  five  specific  interest  items  cited  in  section  8121(b)  were 
completed  in  accordance  with  DoD  acquisition  policy.  For  example,  a  formal 
analysis  of  alternatives  was  never  prepared  and  an  in-depth,  cost/benefit  analysis 
was  not  prepared  for  any  other  alternative  except  the  product  selected  for  the 
DCPDS  Program.  Certain  aspects  of  the  CCA,  such  as  an  analysis  of 
alternatives  and  an  economic  analysis,  should  have  been  thoroughly  performed 
early  in  the  DCPDS  development  process.  Milestone  III  was  too  late  in  the 
DCPDS  development  process  to  obtain  any  of  the  benefits  that  an  analysis  of 
alternatives  or  an  economic  analysis  could  have  provided.  Although  DCPDS 
was  past  the  stage  where  reengineering  business  processes  and  an  analysis  of 
alternatives  could  be  useful,  the  CIO  needs  to  ensure  that  acquisition  programs 
that  are  in  the  early  stages  of  the  acquisition  process  adhere  to  the  principles  and 
intent  of  the  CCA. 

We  realize  that  implementation  of  both  the  CCA  and  section  8121(b)  (now 
section  811(c))  is  still  being  refined.  The  lessons  learned  from  DCPDS  and 
other  early  system  certifications  will  be  useful  in  improving  the  effectiveness  of 
this  process. 

Management  Comments  on  the  Finding  and  Audit  Response 


Management  Comments.  The  Acting  Assistant  Secretary  of  Defense  (Force 
Management  Policy)  and  the  Director,  Defense  Civilian  Personnel  Management 
Service,  jointly  provided  comments  that  strongly  opposed  our  description  of 
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issues  previously  identified  by  GAO  as  CCA  compliance  issues  because  the 
earlier  program  decisions,  upon  which  the  issues  were  based,  were  made  prior 
to  the  enactment  of  the  CCA.  Additionally,  the  GAO  report  did  not  assess  DoD 
compliance  with  CCA;  rather,  it  evaluated  whether  DoD  had  applied  the 
principles  of  CCA.  As  to  previously  identified  CCA  compliance  issues  not 
being  fully  resolved,  the  Acting  Deputy  Assistant  Secretary  of  Defense  (Deputy 
CIO)  also  indicated  that  the  report  did  not  appropriately  recognize  that  the  CCA 
was  not  in  existence  when  relevant  decisions  were  made. 

Audit  Response.  The  Assistant  Secretary  of  Defense  (Force  Management 
Policy)  made  very  similar  comments  to  a  draft  of  the  GAO  report  published  in 
January  1999.  In  its  final  report,  GAO  rebutted  that,  although  initial  DCPDS 
decisions  predated  the  CCA,  the  CCA  had  been  in  effect  since  1996  and  should 
have  been  applied  to  all  decisions  made  after  its  enactment.  The  GAO  also 
pointed  out  that  0MB  Circulars  A- 11  and  A- 130,  which  contain  basic  principles 
of  sound  system  acquisition  management,  existed  when  initial  DCPDS  decisions 
were  being  made.  Additionally,  GAO  cited  several  other  acts  that  were  in  effect 
at  the  time  of  initial  DCPDS  decisions,  which  contained  requirements  similar  to 
those  outlined  in  the  CCA.  Those  acts  included  the  Government  Performance 
and  Results  Act  of  1993,  the  Federal  Acquisition  and  Streamlining  Act  of  1994, 
and  the  Paperwork  Reduction  Act  of  1995. 

The  basic  concepts  that  were  mandated  by  the  CCA  for  the  management  of 
information  systems  were  not  new  to  DoD.  As  previously  discussed  on  pages  2 
and  3,  similar  DoD  policy  and  requirements  existed  prior  to  the  enactment  of 
the  CCA  and  were  equally  applicable  to  all  program  decisions  made  before  and 
after  the  enactment  of  CCA  in  1996.  For  example,  DoD  Directive  8000.1, 
“Defense  Information  Management  (IM)  Program,”  October  27,  1992, 
established  requirements  and  responsibilities  related  to  each  of  the 
section  8121(b)  interest  items:  business  process  reengineering,  analysis  of 
alternatives,  economic  analysis,  performance  measures,  and  information 
assurance. 

The  Acting  Assistant  Secretary  of  Defense  (Force  Management  Policy)  jointly 
with  the  Director,  Civilian  Personnel  Management  Service,  and  the  Acting 
Deputy  Assistant  Secretary  of  Defense  (Deputy  CIO)  disagreed  with  many  other 
aspects  of  the  draft  report  finding  and  discussion  and  provided  extensive 
comments.  A  summary  of  additional  management  comments  and  the  audit 
response  is  in  Appendix  D.  The  full  text  of  management  comments  is  in  the 
Management  Comments  section  of  this  report. 
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Recommendations,  Management  Comments,  and  Audit 
Response 


Based  on  management  eomments,  we  revised  Reeommendations  l.e.,  2. a.,  and 
2.b. 

1.  We  recommend  that  the  Chief  Information  Officer,  DoD,  Assistant 
Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence): 

a.  Clarify  and  enhance  the  criteria  and  approach  to  he  used  hy  DoD 
Components  for  determining  whether  major  automated  information  systems 
are  developed  in  accordance  with  the  Clinger-Cohen  Act  of  1996. 

h.  Strengthen  Chief  Information  Officer  oversight  processes, 
including  the  process  for  certifying  that  major  automated  information 
systems  are  developed  in  accordance  with  the  Clinger-Cohen  Act  of  1996,  hy 
periodically  confirming  the  accuracy  and  adequacy  of  information  reported 
hy  DoD  Components. 

c.  In  coordination  with  the  Director,  Civilian  Personnel 
Management  Service,  ensure  the  implementation  of  standard  DoD 
performance  measures  for  the  Defense  Civilian  Personnel  Data  System. 

d.  Provide  oversight  of  the  Defense  Civilian  Personnel  Data  System 
program  acquisition  and  management  responsibilities  performed  hy  the 
Civilian  Personnel  Management  Service  during  Phase  III  and  enforce  the 
requirements  of  the  acquisition  decision  memorandum. 

Management  Comments.  The  Acting  Deputy  Assistant  Secretary  (Deputy 
CIO)  concurred  with  Recommendations  l.a.,  l.b.,  and  l.d.  Regarding 
Recommendation  l.a.,  the  Deputy  CIO  agreed  that  better  CCA  compliance 
guidelines  and  standards  were  needed  and  planned  to  partner  with  DoD 
Components  and  Office  of  the  Secretary  of  Defense  oversight  organizations  to 
develop  the  guidelines  and  standards.  In  response  to  Recommendation  l.b.,  the 
Deputy  CIO  cited  recent  changes  to  DoD  acquisition  policy  that  require  DoD 
officials  to  provide  CCA  certification  or  confirmation  in  a  number  of  areas. 

The  Deputy  CIO  also  restated  the  intent  to  develop  certification  guidelines  and 
standards.  As  to  Recommendation  l.d.,  the  Deputy  CIO  stated  that  DCPDS 
acquisition  and  management  will  continue  to  be  overseen  throughout  Phase  III  to 
ensure  compliance  with  the  acquisition  decision  memorandum. 

The  Deputy  CIO  nonconcurred  with  Recommendation  l.e.  in  the  draft  report, 
stating  that  implementation  of  performance  measures  was  more  appropriately  a 
responsibility  of  the  Under  Secretary  of  Defense  (Personnel  and  Readiness). 
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Although  not  required  to  comment,  the  Acting  Assistant  Secretary  of  Defense 
(Force  Management  Policy)  and  the  Director,  Civilian  Personnel  Management 
Service,  jointly  provided  comments  on  the  recommendations.  For  the  complete 
text  of  their  comments,  see  the  Management  Comments  section  of  this  report. 

Audit  Response.  The  comments  of  the  Deputy  CIO  were  partially  responsive 
on  Recommendations  l.a.,  l.b.,  and  l.d.  For  Recommendation  l.a..  The 
Deputy  CIO  stated  that  CCA  compliance  guidelines  and  standards  would  be 
developed,  but  did  not  include  an  anticipated  completion  date.  Accordingly,  we 
request  additional  comments  on  the  anticipated  completion  date  of  planned 
actions.  Regarding  Recommendation  l.b.,  management  comments  were  not 
responsive  to  the  intent  of  the  recommendation.  To  avoid  providing  Congress 
and  other  organizations  with  potentially  misleading  information  regarding 
Clinger-Cohen  compliance  of  DoD  information  systems,  the  CIO  should  take 
steps  to  ensure  that  the  information  provided  by  DoD  Components  is  accurate 
and  objective.  Accordingly,  we  request  additional  comments  explaining  how 
the  DoD  CIO  will  periodically  confirm  the  accuracy  and  adequacy  of 
information  reported.  We  also  request  the  completion  date  of  actions  planned. 
For  Recommendation  l.d.,  the  Deputy  CIO  did  not  describe  how  the  Office  of 
the  DoD  CIO  will  continue  to  oversee  the  DCPDS  program  acquisition  and 
management  responsibilities  performed  by  the  CPMS  during  Phase  III.  We 
request  additional  comments  that  describe  the  plan  of  action  for  continued 
oversight  during  Phase  III  and  provide  the  anticipated  completion  date  for 
enforcement  of  the  ADM  requirements. 

In  response  to  management  comments  on  the  draft  recommendations,  we  revised 
Recommendation  l.c.  to  more  appropriately  place  implementing  responsibilities 
for  performance  measurements  on  the  Director,  CPMS,  and  coordination  and 
oversight  responsibilities  on  the  CIO.  Accordingly,  we  request  that  the  CIO 
provide  additional  comments  on  the  revised  recommendation  that  include  an 
action  plan  and  an  anticipated  completion  date  for  the  implementation  of 
standardized  performance  measures. 

2.  We  recommend  that  the  Director,  Civilian  Personnel  Management 
Service: 

a.  Appropriately  secure  all  interfaces  between  the  Defense  Civilian 
Personnel  Data  System  and  other  automated  systems. 

b.  Develop,  and  make  readily  and  easily  available  to  Defense 
Civilian  Personnel  Data  System  users,  guidance  to  adequately  define 
password  characteristics  and  procedures  to  avoid  unauthorized  use  of 
terminals  and  to  mark  sensitive  data  appropriately. 

Management  Comments.  The  Acting  Assistant  Secretary  of  Defense  (Force 
Management  Policy)  and  the  Director,  Civilian  Personnel  Management  Service, 
indicated  nonconcurrence  with  both  recommendations  and  stated  that  the 
DCPDS  interfaces  were  appropriately  secure  and  would  be  monitored 
throughout  deployment.  Management  also  stated  that  because  the  Designated 
Approving  Authority  had  already  accepted  the  system  risks  and  mitigating 
circumstances  for  DCPDS,  a  delay  in  deployment  was  unwarranted  and 
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unnecessary.  Additionally,  CPMS  had  coordinated  with  the  Defense  Finance 
and  Accounting  Service  on  the  single  interface  (two-way  data  feed)  between 
DCPDS  and  the  payroll  system.  The  Defense  Finance  and  Accounting  Service 
had  no  plans  to  encrypt  this  data. 

Audit  Response.  We  met  with  CPMS  officials  on  February  1,  2001,  to  discuss 
our  draft  recommendations.  We  initiated  the  meeting  to  clarify  our  position  and 
concerns.  Regarding  Recommendation  l.a.,  we  identified  five  DCPDS 
interfaces,  (which  we  define  as  any  exchange  of  data  between  systems, 
regardless  of  whether  the  exchange  is  one-  or  two-way),  that  had  not  been 
considered  during  formal  documented  DCPDS  risk  analyses.  We  provided 
CPMS  officials  with  a  list  of  the  specific  unprotected  interfaces  and  provided 
suggestions  that  would  minimize  the  associated  risks  of  sending  unsecured  data, 
passwords,  and  user  identifications  over  the  Internet.  Potential  consequences 
included  unauthorized  access  to  sensitive  data,  data  alteration,  access  to  system 
login  accounts,  and  the  introduction  of  viruses  or  Trojan  horses  to  the  system. 

Also  at  that  meeting,  CPMS  officials  expressed  reluctance  to  include  detailed 
guidance  on  passwords  in  the  DCPDS  Users  Manual.  They  felt  that  because  the 
Users  Manual  was  web-based,  detailed  password  composition  guidance  was  not 
appropriate  on  such  an  open  forum  and  would  pose  too  much  of  a  security  risk. 
We  acknowledged  those  security  concerns,  but  reiterated  that  awareness  and 
training  on  appropriate  security  procedures  are  the  first  line  of  defense  against 
unauthorized  access  to  the  DCPDS  information  and  network  of  systems.  Based 
on  management  concerns,  we  agreed  to  no  longer  require  that  the  enhanced 
guidance  be  published  in  the  Users  Manual.  We  also  agreed  to  revise 
Recommendation  2.b.  to  allow  for  alternate  implementation  methods,  as  long  as 
CPMS  officials  documented  the  needed  guidance  and  requirements  and  make 
them  readily  and  easily  available  to  DCPDS  users.  We  also  reiterated  that 
periodic  security  training  for  DCPDS  users  will  assist  in  maintaining  the 
security  of  the  system.  Accordingly,  we  revised  the  discussion  and 
recommendation  on  information  assurance  in  this  final  report. 

Because  the  DCPDS  Designated  Approving  Authority  recognized  and  accepted 
the  risks  identified,  we  revised  Recommendation  2  to  remove  the  requirement  to 
tie  further  system  deployment  to  implementation  of  the  recommended  actions. 
We  request  that  the  Assistant  Secretary  reconsider  our  recommendations  and 
provide  additional  comments. 


20 


Appendix  A.  Audit  Process 

Scope  and  Methodology 


We  evaluated  the  basis  for  the  eertifieation  made  to  Congress  in  response  to 
section  8121(b)  and  the  effectiveness  of  oversight  provided  by  the  Overarching 
IPT,  the  Acquisition  Oversight  IPT,  and  the  milestone  reviews.  Specifically, 
we  reviewed  the  certification  process  including  the  compliance  report  prepared 
by  CPMS,  briefing  charts  used  to  brief  the  Deputy  CIO  on  the  DCPDS 
certification  process,  and  the  certification  report  submitted  to  Congress  by  the 
CIO.  We  discussed  various  aspects  of  the  DCPDS  certification  process, 
procedures,  and  information  provided  to  Congress  with  staff  of  the  Director, 
CPMS,  staff  of  the  Director,  Program  Analysis  and  Evaluation,  and  staff  of  the 
CIO.  We  also  reviewed  the  minutes  from  18  Acquisition  Oversight  IPT 
meetings  held  from  July  1997  to  March  2000  and  inquired  about  the  oversight 
provided  by  the  OSD  Overarching  IPT.  We  determined  whether  program 
officials  prepared  key  documentation  prior  to  the  milestone  reviews  on  May 
1996  and  May  2000,  and  reviewed  the  ADMs  issued  for  those  two  milestone 
reviews.  We  also  determined  whether  the  exit  criteria  provided  in  the  May 
1996  and  May  2000  ADMs  were  well-defined  and  enforced  by  the  MDA  and  his 
staff.  Finally,  we  reviewed  the  actions  taken  in  response  to  prior  audits  and 
reviews  of  the  DCPDS  Program. 

DoD-Wide  Corporate  Level  Government  Performance  and  Results  Act 
Coverage.  In  response  to  the  Government  Performance  Results  Act,  the 
Secretary  of  Defense  annually  establishes  DoD-wide  corporate  level  goals, 
subordinate  performance  goal,  and  performance  measures.  This  report  pertains 
to  achievement  of  the  following  goals  and  subordinate  performance  goal. 

•  FY  2001  DoD  Corporate  Level  Goal  2:  Prepare  now  for  an  uncertain 
fumre  by  pursuing  a  focused  modernization  effort  that  maintains  U.S. 
qualitative  superiority  in  key  warfighting  capabilities.  Transform  the  force 
by  exploiting  the  Revolution  in  Military  Affairs,  and  reengineer  the 
Department  to  achieve  a  21st  cenmry  infrastrucmre.  (Ol-DoD-2) 

•  FY  2001  DoD  Subordinate  Performance  Goal  2.5:  Improve  DoD 
financial  and  information  management.  (Ol-DoD-2.5) 

DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
also  established  performance  improvement  reform  objectives  and  goals.  This 
report  pertains  to  achievement  of  the  following  functional  area  objectives  and 
goals: 

•  Information  Technology  Management  Functional  Area. 

Objective:  Become  a  mission  partner.  Goal:  Serve  mission  information 
users  as  customers.  (ITM-1.2) 
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•  Information  Technology  Management  Functional  Area. 

Objective:  Provide  services  that  satisfy  customer  information  needs. 

Goal:  Modernize  and  integrate  Defense  information  infrastrucmre. 
(ITM-2.2) 

•  Information  Technology  Management  Functional  Area. 

Objective:  Provide  services  that  satisfy  customer  information  needs. 

Goal:  Upgrade  technology  base.  (ITM-2.3) 

•  Information  Technology  Management  Functional  Area. 

Objective:  Reform  information  technology  management  processes  to 
increase  efficiency  and  mission  contribution.  Goal:  Instimtionalize 
provisions  of  the  Information  Technology  Management  Reform  Act  of  1996, 
(renamed  as  the  Clinger-Cohen  Act  of  1996).  (ITM  3.1) 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
has  identified  several  high-risk  areas  in  DoD.  This  report  provides  coverage  of 
the  Information  Management  and  Technology  high-risk  area. 

Use  of  Computer-Processed  Data.  We  did  not  use  computer-processed  data  to 
perform  this  audit. 

Use  of  Technical  Assistance.  We  received  technical  assistance  from  a 
computer  engineer  in  the  Technical  Assessment  Division,  Audit  Followup  and 
Technical  Support  Directorate.  The  computer  engineer  reviewed  DCPDS 
documentation  on  information  security  and  testing.  Specifically,  the  computer 
engineer  reviewed  the  Test  and  Evaluation  Master  Plan,  the  Qualification 
Operational  Test  and  Evaluation  Einal  Report,  the  Security  Test  and  Evaluation 
Report,  and  the  System  Security  Authorization  Agreement. 

Audit  Type,  Dates,  and  Standards.  We  performed  this  economy  and 
efficiency  audit  from  May  through  December  2000,  in  accordance  with  auditing 
standards  issued  by  the  Comptroller  General  of  the  United  States,  as 
implemented  by  the  Inspector  General,  DoD.  We  comply  with  Government 
Auditing  Standards  except  for  the  requirement  for  an  external  quality  control 
review.  Measures  have  been  taken  to  obtain  an  external  quality  control  review. 

Contacts  During  the  Audit.  We  visited  or  contacted  individuals  and 
organizations  within  DoD.  further  details  are  available  upon  request. 

Prior  Coverage 

General  Accounting  Office 

GAO/AIMD-99-20  (OSD  Case  No.  1719)  “Defense  IRM:  Alternatives  Should 
Be  Considered  in  Developing  the  New  Civilian  Personnel  System,  ” 

January  1999. 
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Inspector  General,  DoD 

Inspector  General,  DoD,  Report  No.  98-127  “Information  Assurance  of  the 
Defense  Civilian  Personnel  Data  System  -  Navy,”  April  29,  1998. 

Inspector  General,  DoD,  Report  No.  98-082,  “Information  Assurance  of  the 
Defense  Civilian  Personnel  Data  Service,”  February  23,  1998. 

Inspector  General,  DoD,  Report  No.  98-041  “Acquisition  Management  of  the 
Defense  Civilian  Personnel  Data  System,”  December  16,  1997. 
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Appendix  B.  Defense  Civilian  Personnel  Data 

System 


Based  on  a  1994  study,  DoD  decided  to  replace  multiple,  mainframe-based 
personnel  management  support  systems  with  a  single,  standard  DoD  system  to 
better  support  personnel  operations  approximately  800,000  defense  civilian 
personnel.  Improving  the  efficiency  of  DoD  civilian  personnel  processes  and 
increasing  the  overall  cost-effectiveness  of  personnel  operations  were  the 
primary  objectives  for  developing  a  modern  DoD  civilian  personnel  system. 

The  Director,  CPMS,  tasked  to  achieve  those  objectives,  developed  a  functional 
program  with  two  primary  and  complementary  thrusts.  Personnel  operations 
costs  would  be  reduced  through  regional  operations  centers,  and  DCPDS  would 
be  developed  to  provide  enhanced,  DoD-wide  automated  support  for  civilian 
personnel  management  offices. 

Under  regionalization,  civilian  personnel  operations  were  consolidated  into 
22  Regional  Service  Centers  and  more  than  300  Customer  Support  Units.  The 
Regional  Service  Centers  performed  several  personnel  management  processes  on 
a  centralized,  more  economical  basis,  while  Customer  Support  Units  provided 
routine  personnel  management  services  on  a  face-to-face  basis  at  DoD 
installations.  The  DCPDS  would  provide  an  automated  improvement  to 
personnel  management  processes  and  convert  many  paper-based  civilian 
personnel  transactions  to  electronic  transactions.  When  fully  deployed,  DCPDS 
would  provide  the  software  application  tools  and  the  requisite  hardware  to 
support  civilian  personnel  mission  requirements  for  all  DoD  Components. 

The  DCPDS  would  also  provide  different  levels  of  support  capability  for 
regional  and  local  civilian  personnel  management  offices.  Because  the  Regional 
Service  Centers  perform  a  greater  variety  of  personnel  management  functions, 
they  would  receive  the  full  suite  of  DCPDS  software  and  a  commensurate  level 
of  hardware.  The  Customer  Support  Units  would  receive  a  version  of  the 
DCPDS  commensurate  with  the  scope  of  their  operations.  The  basic  design  of 
the  system  was  a  client-server  architecture.  Data  entered  into  the  system  at  the 
Customer  Support  Units  would  update  records  located  at  the  Regional  Service 
Centers.  The  database  of  records  for  each  DoD  civilian  employee  would  reside 
at  their  respective  Regional  Service  Center.  CPMS  also  developed  a 
centralized,  DoD-wide  Corporate  Management  Information  System  for 
DoD-wide  reports  and  ad-hoc  inquiry  purposes.  DCPDS  modernization  will  cut 
personnel  requirements,  reduce  processing  time,  eliminate  redundant  data  entry, 
and  eliminate  the  use  of  multiple  databases. 

The  Director,  CPMS,  expected  the  DCPDS  to  enhance  productivity  by  requiring 
fewer  field  employees  and  providing  personnel  specialists  with  the  ability  to 
service  greater  numbers  of  customers.  At  the  end  of  FY  1994,  one  personnel 
specialist  serviced  66  employees;  in  2001,  one  personnel  specialist  would  be 
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expected  to  service  88  employees.  Expected  nonquantifiable  benefits  included 
providing  improved  data  to  the  DoD  payroll  system  and  a  more  responsive, 
open-systems  environment. 

Status  and  Estimated  Costs  of  the  DCPDS  Program.  The  DCPDS  Program, 
which  was  initiated  on  December  5,  1994,  received  Milestone  0  approval  on 
May  22,  1995.  A  conditional  Milestone  I  approval  occurred  on  May  20,  1996, 
and  a  conditional  Milestone  III  approval  was  granted  on  May  19,  2000. 

DCPDS  was  initially  deployed  to  a  few  test  sites  in  1999.  The  DCPDS 
Program’s  estimated  life-cycle  costs  from  FY1995  through  FY2010  total  about 
$1.3  billion.  By  May  2001,  CPMS  had  deployed  DCPDS  core  systems  to  five 
sites  and  expanded  testing  at  six  test  sights.  CPMS  plans  to  deploy  DCPDS  to 
the  remaining  15  systems  by  September  2001. 
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Appendix  C. 


March  15,  1995 
May  22,  1995 
June  1995 
October  1995 
October  1995 
January  17,  1996 
May  20,  1996 
October  3,  1996 
September  29,  1997 
February  25,  1998 
September  20,  1998 
October  15,  1998 
January  9,  1999 
October  11,  1999 
November  23,  1999 
January  2000 
May  10,  2000 
May  19,  2000 


Timeline  of  Major  DCPDS 
Program  Documentation 


Mission  Needs  Statement 
Milestone  0  Approval 
Original  Acquisition  Program  Baseline 
Original  Operational  Requirements  Document 
Original  Test  and  Evaluation  Master  Plan 

1996  Economic  Analysis 
Conditional  Milestone  I  Approval 

Initial  Operational  Requirements  Document  Approval 

1997  Economic  Analysis 

Initial  Acquisition  Program  Baseline  Approval 

1998  Economic  Analysis 
Acquisition  Program  Baseline,  Revision  1 
Initial  Test  and  Evaluation  Master  Plan  Approval 
Acquisition  Program  Baseline,  Revision  2 
Revised  Operational  Requirements  Document 

1999  Economic  Analysis 
Section  8121(b)  Certification 
Conditional  Milestone  III  Approval 
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Appendix  D.  Summary  of  Management 

Comments  on  the  Finding  and 
Audit  Response 


Acting  Assistant  Secretary  of  Defense  (Force  Management  Policy) 
Comments.  The  Assistant  Secretary  disagreed  with  several  parts  of  the  finding 
and  supporting  discussion,  and  stated  that  the  draft  report  seemed  to  concentrate 
on  the  DCPDS  and  to  evaluate  the  actions  of  its  managers  rather  than  address 
Clinger-Cohen  certification.  The  Assistant  Secretary  also  disagreed  with  our 
discussions  related  to  business  process  reengineering,  analysis  of  alternatives 
and  economic  analysis,  and  performance  measures. 

Regarding  business  process  reengineering,  the  Assistant  Secretary  nonconcurred 
that  CPMS  officials  did  not  critically  examine  and  redesign  their  mission 
delivery  processes,  as  a  whole,  before  deciding  to  invest  in  DCPDS.  Citing  a 
deliberate  decision  to  incrementally  implement  new  processes  to  avoid 
disruption  of  ongoing  civilian  personnel  support  operations  and  binding  Federal 
rules  and  regulations,  the  Assistant  Secretary  stated  that  although  sudden  and 
dramatic  change  may  not  have  been  achieved,  DCPDS  had,  nonetheless, 
dramatically  changed  the  fundamental  way  in  which  DoD  delivers  civilian 
personnel  services. 

Concerning  the  adequacy  of  analysis  of  alternatives  and  economic  analysis,  the 
Assistant  Secretary  disagreed  that  DoD  had  no  conclusive  evidence  that  its 
investment  in  DCPDS  was  optimal.  Cost  was  only  one  factor  considered  in 
evaluating  and  selecting  program  approaches.  Additionally,  the  Assistant 
Secretary  stated  that  we  did  not  aclmowledge  that  GAO  representatives 
indicated,  in  July  1999,  that  it  was  too  late  in  the  program  to  determine  whether 
the  selection  of  the  Oracle  product  was  optimal.  Further,  a  projected  return  on 
investment  of  72.6  percent  indicated  that  investment  in  DCPDS  was  worthwhile. 
As  to  performance  measures,  the  Assistant  Secretary  believed  our  assessment  to 
be  premamre  and  did  not  reflect  DoD  ongoing  efforts.  Citing  those  ongoing 
efforts  to  establish  standardized  performance  measures  with  standard  definitions, 
the  Assistant  Secretary  recommended  that  we  revise  our  discussion  on 
performance  measures. 

On  the  discussion  of  key  documentation  for  milestone  reviews,  the  Assistant 
Secretary  disagreed  that  key  acquisition  documents  were  not  prepared  or  were 
not  prepared  and  approved  in  a  timely  manner,  and  were  not  regularly  updated. 
Aclmowledging  that  the  coordination  of  some  documents,  especially  the 
acquisition  program  baseline,  operational  requirements  document,  and  test  and 
evaluation  master  test  plan,  took  an  extensive  amount  of  time,  copies  of  all 
required  program  documentation  were  provided  to  oversight  officials  prior  to 
each  milestone  review.  Further,  the  official  publication  and  signamre  dates 
were  not  indicative  that  DCPDS  officials  worked  in  isolation  from  oversight 
bodies.  The  Assistant  Secretary  stated  that  documents  rarely  changed  between 
versions  and  oversight  officials  were  fully  aware  of  the  process  required  for 
coordination  and  were  satisfied  with  the  coordination  progress  made. 
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Concerning  our  discussion  of  whether  the  conditional  Milestone  I  approval  was 
nullified  because  the  conditions  of  the  ADM  were  not  met,  the  Assistant 
Secretary  stated  that  approved  documents  were  submitted  as  required  and  the 
Milestone  I  decision  was  not  nullified. 

The  Assistant  Secretary  also  disagreed  that  that  CIO  management  controls  for 
overseeing  the  DCPDS  development  did  not  provide  active  oversight 
participation  and  involvement  by  senior  DoD  advisors  at  key  decision  points  or 
adequate  and  ongoing  direction  and  guidance  to  the  DCPDS  Program.  Their 
representatives  on  the  Acquisition  Oversight  IPT  kept  members  of  the 
Overarching  IPT  aware  of  DCPDS  acquisition  status  and  potential  problems. 
Further,  the  Deputy  Assistant  Secretary  of  Defense  (Civilian  Personnel  Policy) 
and  the  Director,  CPMS,  met  with  Overarching  IPT  members  several  times  to 
discuss  key  program  decisions. 

Additionally,  the  Assistant  Secretary  recommended  that  the  costs  of 
regionalization  and  systems  modernization  be  differentiated  in  our  discussion  of 
estimated  costs  of  the  DCPDS  Program  in  Appendix  B.  Further,  changes 
should  be  made  to  Appendix  C,  Timelines  of  Major  DCPDS  Program 
Documentation,  to  more  clearly  show  when  selected  key  documents  were  first 
developed  and  approved  by  CPMS. 

Audit  Response.  The  audit  and  the  report’s  focus  was  on  the  DoD  CIO’s 
unqualified  certification  and  the  effectiveness  of  DoD  CIO  oversight  of  the 
DCPDS  Program  rather  than  on  DCPDS  management  actions.  We  determined 
whether  the  DoD  CIO  had  sufficient  basis  to  certify  that  selected  systems  were 
developed  in  accordance  with  the  CCA.  To  evaluate  the  oversight  process  of 
major  automated  information  systems  for  compliance  with  the  DoD 
implementation  of  CCA,  we  reviewed  the  process,  procedures,  and  supporting 
program  documentation  of  a  system  that  was  certified  as  being  developed  in 
accordance  with  the  CCA. 

We  amended  our  discussion  of  previously  identified  issues  to  more  clearly  show 
that  many  issues  were  decided  before  the  CCA  was  legislated.  We  also  clarified 
that,  as  stated  in  the  January  1999  GAO  report,  the  principles  set  forth  in  the 
CCA  were  not  new,  but  merely  reiterated  and  reinforced  existing  Office  of 
Management  and  Budget  and  DoD  information  system  development  and 
management  policies.  Based  on  management  comments  and  reconsideration  of 
other  factors,  we  revised  the  discussion  of  business  process  reengineering  to 
reflect  that  related  efforts  met  the  intent  of  the  CCA.  We  also  amended  our 
discussions  of  analysis  of  alternatives  and  economic  analysis,  and  performance 
measures.  However,  we  did  not  change  our  related  conclusions.  For  analysis 
of  alternatives,  although  minimal  documentation  was  available,  it  simply  did  not 
provide  conclusive  economic  evidence  that  the  commercial  software  obtained 
represented  the  best  investment  alternative.  Regarding  performance  measures 
and  ongoing  efforts  to  institutionalize  standard  measurements,  the  CPMS  had 
not  implemented  DoD- wide  standardized  functional  performance  measures. 
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Until  that  occurs,  DoD  continues  to  incur  a  risk  of  having  to  compare  disparate 
information  in  assessing  DCPDS  performance  gains  by  the  functional 
community. 

Regarding  the  Assistant  Secretary’s  comments  on  key  acquisition 
documentation,  we  revised  the  report  to  clarify  the  need  for  coordination  and 
obtaining  approvals  from  DoD  organizations  other  than  CPMS  for  various  key 
acquisition  documents.  However,  the  management  comments  did  not  alter  our 
conclusion  that,  for  DCPDS,  the  CIO  did  not  ensure  that  key  documentation  was 
appropriately  prepared  and  approved  for  consideration  during  milestone 
reviews.  Additionally,  we  take  exception  to  the  Assistant  Secretary’s  implying 
that  delays  in  submitting  appropriately  approved  documents  were  tacitly 
approved.  Documented  direction  from  the  DoD  CIO  does  not  support  that 
contention.  The  Milestone  I  approval  occurred  in  May  1996,  and  the  associated 
ADM  specified  that  an  approved  acquisition  program  baseline  be  provided 
within  60  days.  In  July  1997,  and  again  in  October  1997,  the  chair  of  the  Major 
Automated  Information  Systems  Review  Council  formally  emphasized  to  CPMS 
managers  the  need  for  an  approved  acquisition  program  baseline  document. 
Further,  we  noted  that  the  Assistant  Secretary  did  not  comment  on  other  key 
acquisition  documentation  discussed  in  the  report,  such  as  an  implementation 
risk  analysis  and  mediation  plan  or  an  approach  for  resolving  DCPDS 
operational  test  and  evaluation  issues,  which  the  CIO  should  be  expected  to 
require  for  consideration  during  the  Milestone  III  review.  In  regard  to  whether 
the  DCPDS  Milestone  I  conditional  approval  was  nullified,  because  the  required 
documentation  was  not  fully  and  appropriately  approved  within  the  required 
timeframe  and  because  no  final  Milestone  I  decision  was  documented,  we 
conclude  that  the  matter  is  uncertain. 

As  to  the  adequacy  of  oversight  IPTs,  the  draft  report  recognized  their 
involvement  in  milestone  decisions  and  the  ongoing  monitoring  and  tracking  of 
DCPDS  activities  and  events.  However,  we  continue  to  question  whether  the 
Overarching  IPTs  can  provide  effective  advice  to  the  CIO  during  milestone 
decisions  if  they  never  actually  meet  to  review  program  progress  and  ensure  that 
the  program  appropriately  “fits”  into  higher  level  DoD  initiatives  and 
considerations.  In  addition,  we  continue  to  question  the  effectiveness  of  the 
Acquisition  Oversight  IPT  in  making  sure  that  DoD  acquisition  policies  and 
direction  are  effectively  implemented  by  DCPDS  and  other  major  DoD 
information  technology  programs. 

In  this  final  report,  we  amended  Appendixes  B  and  C  to  address  the  suggestions 
of  the  Assistant  Secretary. 

Acting  Deputy  Assistant  Secretary  of  Defense  (Deputy  CIO)  Comments. 

The  Deputy  CIO  disagreed  with  each  factor  we  cited  in  the  Finding  (page  5)  as 
contributing  to  an  insufficient  basis  for  the  unconditional  certification  of 
DCPDS.  The  Deputy  CIO  stated  that  although  draft  procedures  were  used  to 
develop,  coordinate,  and  review  the  DCPDS  certification,  the  certification  was 
not  adversely  impacted  by  the  use  of  draft  procedures.  As  to  previously 
identified  CCA  compliance  issues  not  being  fully  resolved,  the  Deputy  CIO 
indicated  that  the  report  did  not  appropriately  recognize  that  the  CCA  did  not 
exist  when  relevant  decisions  were  made.  Concerning  the  adequacy  of  data 
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analysis  for  certification,  the  Deputy  CIO  cited  the  involvement  of  the  CCA 
Working  Integrated  Produet  Team  during  the  certification  review  and  asserted 
that  the  data  submitted  for  eaeh  interest  item  were  analyzed  and  found  to 
adequately  support  CCA  certification.  Regarding  the  appropriate  preparation, 
approval,  and  updating  of  key  aequisition  documents,  the  Deputy  CIO  stated 
that  DoD  senior  officials  in  support  of  DCPDS  approved  all  key  aequisition 
doeumentation  in  accordanee  with  acquisition  directives  and  regulations.  Citing 
the  need  for  extensive  coordination  of  some  doeuments,  the  Deputy  CIO 
aeknowledged  delays  but  stated  that  aequisition  oversight  offieials  were  always 
aware  of  the  stams  of  key  aequisition  doeuments. 

The  Deputy  CIO  disagreed  that  milestone  exit  criteria  were  not  well-defined  or 
sufficiently  tracked  and  enforeed,  stating  that  milestone  exit  eriteria  were 
prepared  in  aecordanee  with  DoD  acquisition  guidance  and  that  DoD  CIO 
aequisition  oversight  staff  and  the  Aequisition  Oversight  IPT  monitored  and 
aetively  tracked  MDA  deeisions.  The  Deputy  CIO  disagreed  that  management 
eontrols  for  overseeing  the  DCPDS  development  were  ineffeetive  in  providing 
aetive  partieipation  and  involvement  by  senior  DoD  officials  or  in  providing 
adequate  and  ongoing  direction  and  guidance  to  the  DCPDS  Program.  Senior 
level  involvement  was  achieved  via  feedback  received  from  their  representatives 
on  the  Aequisition  Oversight  IPT.  Further,  in  aeeordanee  with  DoD  acquisition 
guidance,  the  Acquisition  Oversight  IPT  resolved  as  many  issues  as  possible, 
and  elevated  remaining  issues  to  the  DoD  CIO  who  issued  ADMs  to  provide 
ongoing  program  direetion  and  guidanee.  Lastly,  citing  DoD  guidance  issued  in 
May  1997  (see  page  53)  and  the  previously  discussed  eertifieation  guidanee 
issued  in  July  2000,  the  Deputy  CIO  disagreed  that  DoD  had  not  established 
specifie  criteria  for  or  defined  a  common  approach  to  evaluating  the  basis  for 
CCA  eertifieation. 

Audit  Response.  In  several  eases,  the  Deputy  CIO  comments  paralleled  those 
provided  by  the  Assistant  Secretary.  The  audit  response  from  the  Assistant 
Secretary  also  addressed  the  Deputy  CIO  comments  eonceming  the  factors  that 
contributed  to  an  insuffieient  basis  for  unconditional  certification  of  DCPDS. 

As  such,  we  have  limited  this  audit  response  to  the  unique  aspects  of  comments 
made  by  the  Deputy  CIO. 

Regarding  the  use  of  draft  proeedures  for  DCPDS  certification,  we  believe  that 
offieial  guidanee  is  preferable  to  draft  guidanee  because  there  is  no  question  as 
to  its  applieability.  However,  in  considering  management  eomments,  we  agree 
that  the  use  of  draft  proeedures  during  the  DCPDS  certification  process  did  not 
materially  affeet  the  validity  of  the  certification.  Accordingly,  we  removed  the 
use  of  draft  eertifieation  procedures  as  a  eause  of  the  insuffieient  basis  for  an 
unqualified  certification  %  the  CIO. 

Coneerning  the  adequacy  of  data  analysis  for  certification,  we  do  not  understand 
the  basis  for  the  CIO  assertion  that  the  relevant  data  was  analyzed  and  found  to 
adequately  support  certification.  The  draft  report  recognized  that  the  DCPDS 
eertifieation  review  team,  in  briefing  the  DoD  CIO,  presented  qualified 
eonfirmations  of  steps  taken  for  business  proeess  reengineering,  analysis  of 
alternatives,  and  performanee  measures,  beeause  the  GAO  previously  identified 
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problems  in  those  areas.  The  review  team  recommended  certification  because 
CPMS  had  initiated  action  to  address  GAO  concerns.  However,  we  found  no 
documentation  of  the  review  team’s  action  to  review  and  verify  the  extent  or 
reasonableness  of  CPMS  actions.  The  GAO  report  provided  ample  indicators 
that  DCPDS  had  not  been  developed  in  accordance  with  the  intent  of  the  CCA. 
Although  it  was  too  late  in  the  DCPDS  development  process  to  apply  all  CCA 
principles,  the  CIO  certification  report  should  have  acknowledged  that  fact  and 
appropriately  qualified  the  CCA  certification. 

As  discussed  in  the  report,  we  do  not  agree  with  the  Deputy  CIO  assertion  that 
key  acquisition  documents  were  appropriately  approved  and  submitted  for  MDA 
consideration  prior  to  the  Milestone  I  or  Milestone  III  reviews. 

The  report  acknowledges  that  the  CIO  issued  guidance  on  CCA  certification. 
However,  as  further  discussed  in  the  report,  the  guidance  was  very  broad  and 
did  not  provide  specific  criteria  to  evaluate  CCA  compliance  by  DoD 
Components.  Additionally,  no  common  approach  for  determining  CCA 
compliance  was  specified.  The  CIO  needs  to  issue  specific  criteria  so  that 
oversight  organizations  and  functional  proponents  can  ensure  that  programs, 
such  as  DCPDS,  are  consistently  and  sufficiently  assessed  as  to  their  compliance 
with  the  intent  of  the  CCA. 
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Appendix  E.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
Under  Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer 
Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Director,  Program  Analysis  and  Evaluation 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 
Deputy  Assistant  Secretary  of  Defense  (Deputy  Chief  Information  Officer) 

Director,  Investment  and  Acquisition 
Assistant  Secretary  of  Defense  (Force  Management  Policy) 

Deputy  Assistant  Secretary  of  Defense  (Civilian  Personnel  Policy) 

Director,  Civilian  Personnel  Management  Service 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Naval  Inspector  General 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Acquisition) 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 


Other  Defense  Organizations 

Defense  Logistics  Agency 

Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget 
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Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Management,  Information,  and  Technology, 
Committee  on  Government  Reform 

House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  Technology  and  Procurement  Policy,  Committee  on 
Government  Reform 
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Assistant  Secretary  of  Defense  (Command, 
Control,  Communications,  and  Intelligence) 
Comments 


OFFICE  OF  THE  ASSISTANT  SECRETARY  OF  DEFENSE 
6000  DEFENSE  PENTAGON 
WASHINGTON,  DC  20301-6000 

March  16,  2001 


COMMAND,  CONTROL, 
COMMUNICATIONS,  AND 
INTELLIGENCE 


MEMORANDUM  FOR  DIRECTOR,  ACQUSITION  MANAGEMENT 

DoD  OFFICE  OF  THE  mSPECTOR  GENERAL 

SUBJECT:  DoD  IG  Audit,  Clinger-Cohen  Act  Certification  of  the  Defense  Civilian  Personnel 
Data  System  (DCPDS)  (Project  No.  D2000AS-0212) 

Thank  you  for  the  opportunity  to  review  and  comment  on  your  December  15,  2000,  draft 
audit  report,  subject  as  above.  Our  specific  comments  on  the  subject  report’s  findings  and 
recommendations  are  attached. 

We  are  still  in  the  early  stages  of  certifying  Clinger-Cohen  Act  compliance  for  Major 
Automated  Information  Systems  and  are  trying  to  improve  the  process  as  we  move  forward.  We 
agree  with  your  recommendation  that  we  need  better  standards  and  guidelines  for  the  programs  to 
use  in  developing  their  certifications.  We  are  already  using  your  findings  to  strengthen  our 
process  as  we  deal  with  the  new  certification  actions  that  are  coming  along. 

We  appreciate  the  exchanges  we  have  had  with  members  of  the  OIG  audit  team  and  thank 
them  for  their  diligence. 


Margaret  E.  Myers  *■ 

Acting  Deputy  Chief  Information  Officer 


Attachment 
As  Stated 

cc: 

Deputy  Assistant  Secretary  of  Defense 
(Civilian  Personnel  Policy)  OUSD(P&R) 

Principal  Deputy  Assistant  Secretary  of  the 
Air  Force  for  Business  and  Information  Management 
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Final  Report 
Reference 


Deleted, 
page  5 


Response  to  Office  of  the  Inspector  General  (OIG),  DoD  Draft  Audit  Report 
“Clinger-Cohen  Act  Certification  of  the 
Defense  Civilian  Personnel  Data  System  (DCPDS),” 

Project  No.  D2000AS-0212,  December  15,  2000 

DoD  CIO  COMMENTS: 

The  DoD  IG  finding  that  the  Department  of  Defense  Chief  Information  Officer  (DoD  CIO) 
lacked  a  sufficient  basis  to  certify,  without  qualification,  that  the  Defense  Civilian  Personnel 
Data  System  (DCPDS)  met  the  requirements  of  the  Clinger-Cohen  Act  contains  several  distinct 
causes  for  their  assertion.  We  disagree  with  this  finding.  Building  on  our  existing  regulatory 
acquisition  guidance,  the  DoD  CIO  put  in  place  an  effective  certification  process  to  assess  major 
automated  information  systems  (AIS)  compliance  with  the  Clinger-Cohen  Act  (CCA)  of  1996. 
The  DoD  CIO  specific  responses  are  summarized  as  follows: 

l.A.  Finding: 

The  certification  occurred  before  the  procedures  for  the  certification  review  were  finalized. 

DoD  CIO  Comments:  Non-concur 

While  the  statement  is  true,  the  use  of  the  draft  procedures  to  conduct  the  DCPDS  certification 
review  did  not  impact  the  validity  of  the  certification.  Both  draft  and  final  versions  of  Section 
8121  (b)  certification  procedures  contained  identical  requirements  for  certification.  Since 
DCPDS  was  the  second  program  certified  with  the  DOD  CIO,  and  senior  officials  were  given  full 
briefings  on  certification  procedures  for  the  first  program,  Reserve  Component  Automation 
System  (RCAS).  Further,  the  RCAS  certification  package  was  provided  in  draft  to  congressional 
staff  for  review  and  comment.  Their  comments  were  incorporated  into  the  certification  process 
and  briefed  to  senior  staff. 

In  December  1999,  before  DCPDS  certification,  a  DoD-wide  Working-Level  Integrated  Product 
Team  (WIPT)  was  established  to  review  current  practices  and  develop  a  DoD  standard 
certification  process  for  implementing  the  Section  8121(b)  of  the  FY  2000  DoD  Appropriations 
Act.  The  guidance  included  detailed  procedures  for  certification  as  well  as  a  comprehensive  set 
of  questions  to  be  used  to  examine  each  congressional  interest  item;  business  process 
reengineering,  analysis  of  alternatives,  economic  analysis,  performance  measures,  and  an 
information  assurance  strategy.  Before  releasing  the  guidance,  extensive  briefings  were 
conducted  of  the  certification  process  throughout  the  DoD,  including  the  CIO  Executive  Board. 
On  July  13,  2000,  the  DoD  CIO  issued  formal  certification  guidance.  Department  of  Defense 
(DoD)  Information  Technology  (IT)  Systems  Certification  Requirements. 

Specific  to  DCPDS,  a  CCA  IPT  represented  by  various  staff  offices  within  the  Office  of  the 
Secretary  of  Defense  (OSD)  and  Civilian  Personnel  Management  Services  (CPMS)  was  formed 
to  assist  the  CPMS  and  Air  Force  Personnel  Center  Central  Design  Activity  (CD A)  in  the 
preparation  for  certification.  Given  common  membership  on  the  DoD-wide  WIPT  and  the  CCA 
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IPX  for  DCPDS,  consistency  and  uniformity  of  procedures  were  maintained.  Further,  the  Air 
Force  CIO  concurred  that  Air  Force  sections  (performance  measure  and  information  assurance) 
of  the  DCPDS  certification  report  correctly  document  DCPDS  Compliance  with  CCA  and 
recommended  the  DoD  CIO  certify  DCPDS.  Finally,  the  certification  report  and  notification 
letters  to  the  defense  congressional  committees  were  coordinated  with,  and  endorsed  by,  the 
following: 

•  Office  of  the  Under  Secretary  of  Defense  (Comptroller); 

•  Office  of  the  Director,  Program  Analysis  and  Evaluation; 

•  Office  of  the  Assistant  Secretary  of  Defense  of  Legislative  Affairs; 

•  Office  of  the  Deputy  Under  Secretary  of  Defense  for  Program  Integration; 

•  Office  of  General  Counsel; 

•  Office  of  the  Deputy  Assistant  Secretary  of  Defense  for  Civilian  Personnel  Policy; 

•  Office  of  the  Assistant  Secretary  of  the  Air  Force  for  Acquisition. 

We  believe  strongly  that  this  course  of  action  was  prudent,  given  the  potential  disruptive  effects 
on  program  acquisition  that  would  have  occurred  by  waiting  until  the  certification  guidance  was 
finally  signed.  Both  the  GAO  and  DoDIG  assert  that  the  DCPDS  program  should  not  be 
suspended  until  all  requirements  were  met. 

l.B.  Finding: 

Previously  identified  CCA  compliance  issues  had  not  been  fully  resolved,  and  relevant  data  were 
not  adequately  analyzed. 

DoD  CIO  Comments:  Non-concur. 

In  January  1999,  the  GAO  identified  DCPDS  development  problems  related  to  each  of  the  five 
interest  items:  Business  Process  Reengineering,  Analysis  of  Alternatives,  Economic  Analysis, 
Performance  Measures,  and  Information  Assurance  (GAO  Report  No.  99.20,  “Defense  IRM: 
Alternatives  Should  Be  Considered  in  Developing  the  New  Civilian  Personnel  System,”  January 
1999).  However,  the  GAO  report  recognized  that  the  CCA  was  not  in  existence  when  DoD  made 
the  initial  decision  to  develop  DCPDS.  Nevertheless,  CPMS  had  made  a  prudent  effort  to 
develop  DCPDS  in  accordance  with  regulatory  guidance  in  existence  at  the  time  the  initial 
decisions  were  made.  CPMS  and  GAO  continue  to  have  ongoing  interaction  to  address  and 
satisfy  GAO  priorities.  Further,  the  CCA  WIPT  addressed  each  interest  item  during  the 
certification  review  and  found  that  CPMS  had  initiated  actions  to  address  GAO  Findings.  The 
data  submitted  for  each  item  was  analyzed  and  found  to  adequately  support  CCA  certification. 

•  Business  Process  Reengineering:  CPMS  implemented  several  business  process 
improvements  and  continued  to  evaluate  further  potential  improvements.  The  DoD  IG 
acknowledged  these  actions.  In  addition,  both  GAO  and  the  DoD  IG  agreed  with  CPMS 
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officials  that  it  was  potentially  too  late  in  the  DCPDS  development  process  to  effectively 
reengineer  personnel  management  processes. 

•  Analysis  of  Alternatives  and  Economic  Analysis:  CPMS  concurred  with  the  GAO  that 
they  will  evaluate  business  and  system  alternatives,  select  the  most  cost  beneficial,  and 
implement  a  transition  plan  for  this  alternative  prior  to  deployment  beyond  the  test  sites. 

•  Performance  Measures:  CPMS  identified  four  major  performance  measure  categories: 

1)  servicing  ratio,  2)  customer  satisfaction,  3)  process  cycle  time,  and  4)  regulatory 
compliance.  GAO  audit  reported  that,  while  performance  measures  have  been  developed, 
standard  DoD  data  is  needed  for  comparison.  CPMS  has  initiated  actions  to  address 
GAO  findings. 

•  Information  Assurance:  The  DoDIG  acknowledged  that  DoD  adequately  and  fairly 
described  the  DCPDS  information  assurance  posture  in  the  congressional  notification. 

l.C.  Finding: 

Key  acquisition  documents  either  were  not  prepared  or  were  not  prepared  and  approved  in  a 
timely  manner,  and  were  not  regularly  updated. 

DoD  CIO  Comments:  Non-concur 

Appropriate  DoD  senior  officials  in  support  of  DCPDS  approved  all  key  acquisition 
documentation  in  accordance  with  DoD  Directive  5000.1  and  DoD  5000.2-R.  These  documents 
included  the  Mission  Needs  Statement,  Economic  Analysis,  Operational  Requirements 
Document  (ORD),  Acquisition  Program  Baseline  (APB),  Security  Plan,  and  Test  and  Evaluation 
Master  Plan.  These  documents  were  also  appropriately  updated  in  accordance  with  DoD 
directives.  For  example,  the  ORD  was  approved  in  October  1996  and  updated  and  approved  in 
November  1999  prior  to  the  Milestone  in  review.  The  Economic  Analysis  was  approved  in 
January  1996  and  update  and  approved  in  January  2000.  Likewise,  the  APB  was  approved  in 
October  1998  and  revised  and  approved  in  October  1999  prior  to  the  Milestone  HI  review. 

Regarding  the  timely  updates  of  these  document,  because  DCPDS  is  a  DoD-wide  program,  its 
documentation  required  extensive  coordination  to  gain  approval  from  the  Military  Services  and 
Defense  agencies.  Nevertheless,  acquisition  oversight  officials  were  always  apprised  of  the 
status  of  key  acquisition  documents  through  the  Acquisition  Oversight  Integrated  Product  Team 
(AOIPT)  that  met  monthly  and  actively  monitored  program  progress  as  well  as  the  completion  of 
key  acquisition  documents  in  support  of  all  acquisition  decisions. 

l.D.  Finding: 

Milestone  exit  criteria  were  not  well  defined  or  sufficiently  tracked  and  enforced 
DoD  CIO  Comments:  Non-concur 
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Acquisition  documentation  requirements  as  well  as  milestone  exit  criteria  for  each  program 
milestone  were  established  in  accordance  with  DoD  Directive  5000.1  and  DoD  5000. 2-R.  The 
Milestone  Decision  Authority  (MDA),  through  the  Acquisition  Decision  Memoranda,  provided 
the  necessary  direction  and  milestone  exit  criteria  for  each  milestone  review.  The  AOIPT 
actively  tracked  MDA  decisions  and  documentation  requirements  through  monthly  program 
reviews  from  March  1997  through  August  2000. 

The  AOIPT  was  instrumental  in  developing  the  cost,  schedule,  and  performance  baseline  for  the 
program,  to  include  the  cost,  schedule,  and  performance  objectives  that  would  be  achieved  by  the 
DoD  Components.  The  acquisition  oversight  staff  used  that  baseline  to  monitor  the  program. 
That  APB  reflected  the  total  program,  both  modernization  and  regionalization.  Prior  to  this 
action,  the  program  baseline  had  been  complicated  due  to  the  multi-contributions  of  the 
Components.  It  also  provided  program  progress  updates,  established  and  tracked  action  items, 
and  traced  audits  and  reviews.  For  example,  the  AIOPT  tracked  the  updates  and  approval  of  key 
acquisition  documents,  including  the  Operational  Requirements  Document  (ORD),  Acquisition 
Program  Baseline  (APB),  Test  and  Evaluation  Master  Plan  (TEMP)  and  Security  Plan.  In 
addition,  it  ensured  the  timely  update  and  approval  of  the  Memorandum  of  Agreement  between 
CPMS  and  the  Air  Force  acquisition  community  as  recommended  in  an  earlier  DoDIG  report, 
“Acquisition  Management  of  the  Defense  Civilian  Personnel  Data  System,”  dated  December  16, 
1997. 

l.E.  Finding: 

CIO  management  controls  for  overseeing  the  DCPDS  development  did  not  provide  active 
oversight  participation  and  involvement  by  senior  DoD  advisors  at  key  decision  points  or 
adequate  and  ongoing  direction  and  guidance  to  the  DCPDS  Program. 

DoD  CIO  Comments:  Non-concur 

The  DoD  Instruction  5000.2  and  DoD  5000. 2-R  state  that  the  Department  should  use  Integrated 
Product  Teams  (IPTs)  to  conduct  acquisition  and  oversight.  Consistent  with  this  approach,  the 
Air  Force  Acquisition  Staff,  in  coordination  with  the  OASD(C3I),  chartered  the  DCPDS  AOIPT 
in  July  1997.  The  AOITP  included  representation  from  stakeholders  in  the  functional, 
acquisition,  testing,  security.  Comptroller,  C3I,  and  the  Component  communities.  Their 
representatives  on  the  AOIPT  kept  senior  oversight  officials  abreast  of  the  program.  The  goal  of 
the  AOIPT  is  to  resolve  as  many  issues  and  concerns  at  the  lowest  level  possible  and  to 
expeditiously  escalate  issues  that  need  resolution  at  a  higher  level,  to  include  functional  issues 
that  can  only  be  resolved  by  the  Principal  Staff  Assistant  (PSA)  and  other  functional 
stakeholders.  We  recognized  that  the  PSA  has  responsibility  of  the  mission  area.  However, 
when  there  were  unsolved  functional  issues  that  impeded  program  execution,  the  DoD  CIO 
issued  an  ADM  directing  the  PSA  and  functional  stakeholders  to  resolve  the  issues.  Further,  all 
ADMs,  providing  ongoing  direction  and  guidance  to  the  program  were  coordinated  with  senior 
DoD  officials  prior  to  issuance. 
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l.F,  Findine: 

The  CIO  did  not  establish  specific  criteria  for  or  define  a  common  approach  to  evaluating  the 
basis  for  CCA  certification. 

DoD  CIO  Comments:  Non-concur 

The  DoD  CIO  issued  policy  guidance  on  July  13,  2000,  “Department  of  Defense  (DoD) 
Information  Technology  (IT)  Systems  Certification  Requirements,”  to  implement  Section  8121 
of  the  DoD  Appropriation  Act  of  FY  2000  (see  attachment).  Our  existing  regulatory  guidance 
for  major  Defense  acquisition  of  May  1997,  “Requirements  for  Compliance  with  Reform 
Legislation  for  Information  Technology  (IT)  Acquisitions  (Including  National  Security  Systems)“ 
provided  the  framework  for  compliance  with  reformed  and  point  of  departure  for  the  CCA 
certification  process  (see  attachment).  Our  July  13,  2000  guidance  requires  that  the  Component 
head  prepare  a  compliance  report  confirming  that  steps  were  taken  to  address  the  congressional 
interest  items,  and  provide  descriptions  of  the  steps  taken  to  address  the  congressional  interest 
items,  and  descriptions  of  the  steps  taken. 

Our  guidance  on  certification  also  included  a  Section  8121(b)-confirmation  matrix  outlining  the 
requirements  or  criteria  for  confirming  the  adequacy  of  the  steps  taken  to  address  the  five  interest 
items.  The  matrix  also  identified  sources  of  reference  for  specific  guidelines  to  assess  the  five 
interest  items.  Further,  the  guidance  requires  the  Component  head  to  concur  that  the  subject 
system  was  developed  in  accordance  with  the  CCA.  The  guidance  also  included  a  sample 
template  for  compliance  reporting.  The  template  indicated  that  compliance  could  be  determined 
by  assessing  the  steps  taken  for  the  five  specific  interest  items. 


RECOMMENDATIONS : 

I- A  Recommendation: 

The  DoDIG  recommends  that  the  Chief  Information  Officer  (CIO),  DoD,  Assistant  Secretary  of 
Defense  (Command,  Control,  Communications,  and  Intelligence)  clarify  and  enhance  the  criteria 
and  approach  to  be  used  by  DoD  Components  for  determining  whether  major  automated 
information  systems  are  developed  in  accordance  with  the  Clinger-Cohen  Act  of  1996. 

DoD  CIO  Comments:  Concur. 

We  agree  that  there  is  a  need  for  better  guidelines  and  standards  for  some  of  the  CCA  compliance 
areas,  such  as  BPR,  Analysis  of  Alternatives,  Performance  Measurement  and  Economic  Analysis. 
Some  of  these  are  already  being  developed  by  the  OSD  offices  responsible  for  those  areas.  The 
Office  of  the  DoD  CIO  plans  to  partner  with  the  DoD  Component  and  OSD  oversight  community 
to  ensure  that  such  guidelines  and  standards  are  developed. 
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Final  Report 
Reference 


We  should  also  note  that  the  Office  of  the  DoD  CIO  is  responsible  for  additional  policies 
regarding  the  implementation  of  the  CCA  that  were  published  in  the  January  4,  2001,  update  to 
DoD  Instruction  5000.2.  These  new  policies  are  primarily  contained  in  sections  4.7.3. 1.5  and 
4.7. 3.2.3. 2  of  DoD  1 5000.2,  and  are  in  implementation  of  Section  81 1  of  the  Floyd  D.  Spence 
National  Defense  Authorizations  Act  for  Fiscal  Year  2001. 

I-B.  Recommendation: 

Strengthen  Chief  Information  Officer  oversight  processes,  including  the  process  for  certifying 
that  Major  Automated  Information  Systems  are  developed  in  accordance  with  the  Clinger-Cohen 
Act  of  1996,  by  periodically  confirming  the  accuracy  and  adequacy  of  information  reported  by 
DoD  components. 

DoD  CIO  Comments:  Concur. 

Recent  changes  to  DoD  5000  documentation  require  that  the  CIOs  of  the  department  certify  or 
confirm  compliance  with  Clinger-Cohen  Act  (CCA)  mandates  in  a  number  of  key  areas.  The 
language  in  DoD  Instruction  5000.2  states  that  CIOs  must  confirm  that:  the  acquisition  supports 
core,  priority  functions  that  need  to  be  performed  by  the  Federal  Government;  no  private  sector 
or  government  source  can  better  support  the  function;  the  processes  that  the  system  supports  have 
been  redesigned  to  reduce  costs,  improve  effectiveness  and  maximize  the  use  of  COTS;  an 
analysis  of  alternatives  (AoA)  has  been  conducted;  for  AIS,  an  economic  analysis  (EA)  has  been 
conducted  that  includes  a  calculation  of  the  return  on  investment  (ROI);  there  are  clearly 
established  measures  and  accountability  for  program  progress;  mission-related,  outcome-based 
performance  measures  have  been  established  and  linked  to  strategic  goals;  the  program  has  an 
information  assurance  strategy  that  is  consistent  with  DoD  policies,  standards,  and  architectures; 
the  acquisition  is  consistent  with  the  Global  Information  Grid  policies  and  architecture,  to 
include  relevant  standards;  to  the  maximum  extent  practicable,  (1)  modular  contracting  is  being 
used,  and  (2)  the  program  is  being  implemented  in  phased,  successive  blocks;  and,  the  system 
being  acquired  is  registered  with  the  DoD  CIO. 

As  stated  earlier,  the  Office  of  the  Deputy  CIO  (ODCIO)  is  working  to  ensure  that  there  are  DoD 
guidelines  with  criteria  and  standards  to  implement  these  policies. 

I-C.  Recommendation: 

Implement,  in  coordination  with  the  Director,  Civilian  Personnel  Management  Service,  standard 
DoD  performance  measures  for  the  Defense  Civilian  Personnel  Data  System. 

DoD  CIO  Comments:  Non-concur. 

Performance  measures  specifically  for  the  modern  DCPDS  have  been  established  as  key 
performance  parameters  outlined  in  the  Operational  Requirements  Document  (ORD)  and  indicate 
the  required  level  of  system  performance  to  support  civilian  personnel  operations. 


Revised, 
page  18 
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Technical  performance  measures  were  captured  in  the  ORD  as  well  as  the  APB.  Through  the 
APB  process,  the  MDA  has  controlled  the  technical  and  operational  measures  at  the  system  level. 
However,  the  PSA  and  the  functional  stakeholders  responsible  for  the  mission  area  determine 
functional  performance  measures  under  DoD  CIO  oversight. 

I-D.  Recommendation; 

Provide  oversight  of  the  Defense  Civilian  Personnel  Data  System  program  acquisition  and 
management  responsibilities  performed  by  the  Civilian  Personnel  Management  Service  (CPMS) 
during  Phase  HI  and  enforce  the  requirements  of  the  acquisition  decision  memorandum. 

DoD  CIO  Comments:  Concur 

We  will  continue  to  oversee  the  DCPDS  acquisition  and  management  throughout  Phase  HI, 
Deployment  and  Operational  Support,  to  ensure  compliance  with  the  Acquisition  Decision 
Memorandum  (ADM).  The  ADM  provided  a  conditional  Milestone  IQ  approval,  authorizing  the 
program  to  begin  fielding,  subject  to  the  completion  of  four  requirements.  One  of  the 
requirements  was  that  CPMS  fully  develop  the  mission-essential  functions  for  the  modern 
DCPDS  and  that  the  Air  Force  Operational  Test  and  Evaluation  Center  perform  the  appropriate 
operational  testing  before  fielding.  We  are  currently  meeting  with  representatives  from  CPMS, 
the  Air  Force  Operational  Testing  and  Evaluation  Center  (AFOTEC)  and  the  Office  of  the 
Director  Operational  Test  and  Evaluation  to  monitor  progress  toward  full  deployment  and 
operations  of  the  modern  DCPDS. 

If  you  have  any  questions  on  the  above,  please  direct  them  to  my  action  officer,  Mr.  Edward 
Wingfield  @  (703)  602-0980  xl26. 


Margaret  E.  Myers  9^  ’ 

Acting  Deputy  Chief  Information  Officer 

Attachments 
As  Stated 
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ASSISTANT  SECRETARY  OF  DEFENSE 
6CXX5  DEFENSE  PENTAGON 
WASHINGTON,  DC  20301-6000 

July  13,  2000 


COMMAND.  CONTROL. 

COMMUNICATIONS.  AND 
INTEUUGCNCE 

MEMORANDUM  FOR:  SEE  DISTRIBUTION 


SUBJECT:  Department  of  Defense  (DoD)  Information  Technology  (IT)  Systems 
Certification  Requirements 

This  memorandum  provides  guidance  on  certification  of  Major  Automated  Information 
Systems  (MAIS)  compliance  with  the  Clinger-Cohen  Act  (CCA)  of  1996  (40  U.S.C  1401  ei 
seq.).  Section  8 12 1  (b)  of  the  DoD  Appropriations  Act,  2000  requires  the  DoD  Chief 
Information  Officer  (CIO)  to  certify  that  MAIS  are  being  developed  in  accordance  with  CCA 
prior  to  each  Milestone  approval  after  Milestone  0.  All  MAIS  programs  (including  those  in 
Acquisition  Category  (ACAT)  lAM.  ACAT  lAC  and  those  designated  as  Special  Interest 
Initiatives)  that  are  scheduled  for  Milestone  approval  in  FY  2000  are  subject  to  this  certification. 
The  certification  process  for  these  initiatives  will  be  tailored  as  appropriate.  The  DoD  CIO  is 
updating  the  current  list  of  DoD  major  IT  investments  subject  to  certification  (dated  May  5, 
1999).  It  will  be  provided  to  you  upon  completion. 


The  statute  requires  the  DoD  CIO  to  notify  the  Congress  of  MAIS  certifications  in  a  timely 
manner.  Such  notifications  to  Congress  must  include  the  program  funding  baseline,  Milestone 
schedule  and,  at  a  minimum,  confirmation  that  the  following  requirements  have  been  satisfied 
with  respect  to  the  program: 

•  Business  Process  Reengineering:  Describe  actions  taken  to  streamline  or 
reengineer  the  business  processes  before  decisions  were  made  to  invest  in  the 
new  IT  system. 


•  Analysis  of  Alternatives:  Identify  and  discuss  alternatives  analyzed  to  justify  the 
preferred  alternative  to  be  initiated  to  satisfy  a  valid  mission  need. 

•  Economic  Analysis:  Include  a  calculation  of  the  r  jtum  on  investment. 

•  Performance  Measures;  Describe  measurable  performance  indicators  used  to 
systematically  track  the  progress  made  in  achieving  predetermined  goals. 

•  Information  Assurance  (lA):  Identify  an  information  assurance  strategy  consistent 
with  the  Department’s  policies,  standards,  and  architectures. 

A  description  of  these  requirements  is  contained  in  the  joint  memorandum  of  May  1,  1997, 
-'Requirements  for  Compliance  with  Reform  Ugislation  for  Information  Technology  (IT) 
Acquisitions  (Including  National  Security  Systems). "  That  memorandum  remains  in  effect  and 
nany  of  its  requirements  have  been  incorporated  into  the  existing  regulatory  guidance  and  our 
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oversight  processes.  In  addition,  the  DoD  CIO  will  determine  any  additional  requirements  for 
certification,  as  appropriate,  on  a  case  by  case  basis. 

The  procedures  for  MATS  certification  will  be  similar  to  those  followed  for  Milestone 
reviews.  The  DoD  Component  Head  or  designee  shall  prepare  the  CCA  Compliance  Report 
prior  to  Milestone  approval  for  ACAT  lAM  and  ACAT  lAC  programs  using  Attachment  1,  the 
Confirmation  Matrix.  Also,  Attachment  2  is  provided  as  sample  templates  for  the  Compliance 
Report  and  CIO  Certification  Report,  Components  shall  submit  the  cerdfication  documentation 
to  the  DoD  CIO  for  ACAT  lAM  and  ACAT  lAC  programs  at  least  six  weeks  prior  to  scheduled 
Milestone  approval.  In  addition,  the  following  procedures  shall  be  followed: 

•  ACAT-IAM  Programs  and  Special  Interest  Programs  for  DCIO  Review: 

The  Component  Head  or  designee  shall  concur  with  the  CCA  Compliance  Report. 
The  DoD  CIO  will  prepare  the  Certificarion  Report  for  congressional  notification. 
The  DoD  CIO  will  coordinate  the  CCA  Cenifi  ation  Report  with  the  Director  for 
Program  Analysis  and  Evaluation  (PA&E),  Under  Secretary  of  Defense 
(Comptroller),  General  Counsel,  Legislative  A/frirs,  ii  id  other  applicable;  staff 
elements. 


•  ACAT-IAC  Programs  and  Special  Interest  Programs  for  Component  CIO 
Review:  Component  Head  or  designee  shall  approve  the  CCA  Compliance  Report 
and  prepare  the  Certification  Report  for  DoD  CIO  approval  and  congressional 
notification.  The  DoD  CIO  will  use  the  same  coordination  process  for  the 
Certification  Report  as  for  lAM  programs  a.s  stated  above. 


Attachments  1  and  2  reflect  the  minimum  requirements  with  the  applicable  Milestone 
decision  points  for  certification.  The  Clinger-Cohen  Act  certification  will  be  addressed  in  the 
next  edition  of  DoD  Instruction  5000.2.  Links  to  documents  rcl  erenced  in  this  niemorandum  are 
at  the  Links  page  URL:  .htt&://www.c3i.osd.mil/org/cio/index.himl. 


My  point  of  contact  for  this  effort  is  Mr.  Edward  Wingfield,  (703)  604-1583, 
M.wingfield@osd.pentaEon.mil. 


Attachments: 
As  staled 


Arthur  L.  Mon^ 

DoD  Chief  Infirfrmalion  Officer 
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DISTRIBUTION: 

UNDER  SECRETARY  OF  DEFENSE,  ACQUISITION  TECHNOLOGY  AND  LOGISTICS 
UNDER  SECRETARY  OF  DEFENSE  (COMPTROLLER) 

UNDER  SECRETARY  OF  DEFENSE  (PERSONNEL  AND  READINESS) 

DIRECTOR.  DEFENSE  RESEARCH  AND  ENGINEERING 
ASSISTANT  SECRETARY  OF  DEFENSE  (HEALTH  AFFAIRS) 

ASSISTANT  SECRETARY  OF  DEFENSE  (RESERVE  AFFAIRS) 

INSPECTOR  GENERAL  OF  THE  DEPARTMENT  OF  DEFENSE 
DIRECTOR,  OPERATIONAL  TEST  AND  EVALUATION 
DIRECTOR.  PROGRAM  ANALYSIS  AND  EVALUATION 
DEPUTY  UNDER  SECRETARY  OF  DEFENSE  (ACQUISITION  REFORM) 

DEPUTY  UNDER  SECRETARY  OF  DEFENSE  (LOGISTICS) 

ASSISTANT  SECRETARY  OF  THE  ARMY  (RESEARCH.  DEVELOPMENT, 

AND  ACQUISITION) 

ASSISTANT  SECRETARY  OF  THE  NAVY  (RESEARCH,  DEVELOPMENT 
AND  ACQUISITION) 

ASSISTANT  SECRETARY  OF  THE  AIR  FORCE  (ACQUISITION) 

DIRECTOR,  JOINT  STAFF 

DIRECTOR.  DEFENSE  PROCUREMENT,  OUSD  (AT&L) 

ACQUISITION  EXECUTIVE,  SPECIAL  OPERATONS  COMMAND 
DIRECTORS  OF  THE  DEFENSE  AGENCIES 

CHIEF  INFORMATION  OFFICERS  OF  THE  MILITARY  DEPARTMENTS 
CHIEF  INFORMATION  OFFICERS  OF  THE  DEFENSE  AGENCIES 
CHIEF  INFORMATION  OFFICERS  OF  THE  DOD  FIELD  ACTIVITIES 
DIRECTOR.  INTELLIGENCE  COMMUNITY  MANAGEMENT  STAFF 
INTELLIGENCE  COMMUNITY  CHIEF  INFORMATION  OFFICER 
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InformatioD  below  is  adxlressed  in  the  wrtte*up  docomenUtioD: 


OFFICE  OF  THE  SECRETARY  OF  DEFENSE 
WASHINGTON,  D  C  20301 

1  May  1997 

MEMORANDUM  FOR:  SEE  DISTRIBUTION 

SUBJECT:  Requirements  for  Compliance  with  Reform  Legislation  for  Information 
Technology  (IT)  Acquisitions  (Including  National  Security  Systems) 


In  the  past  several  years.  Congress  has  enacted  legislation  intended  to  improve  the 
management  and  performance  of  Federal  Agencies.  These  laws  include  Division  E  of  the 
Clinger-Cohen  Act  of  1996  (formerly  titled  the  Information  Technology  Management  Reform 
Act  of  1996  and  hereinafter  referred  to  as  the  ITMRA),  the  Government  Performance  and  Results 
Act  (GPRA)  of  1993,  and  the  Paperwork  Reduction  Act  (PRA)  of  1995.  Furthermore,  recent 
guidance  from  the  Office  of  Management  and  Budget  (0MB)  places  added  emphasis  on 
managing  investments,  to  include  weapon  systems.  Most  of  our  regulatory  guidance  for  major 
Defense  acquisitions  is  consistent  with  the  intent  of  these  laws.  However,  we  need  to  formally 
incorporate  these  requirements  into  the  regulatory  guidance  and  our  oversight  processes. 

The  ITMRA  applies  to  all  IT  acquisitions,  including  IT  supporting  weapon  systems  and 
other  National  Security  Systems  (NSS).  It  requires  the  Secretary  of  Defense  to  maximize  the 
value  and  assess  and  manage  the  risks  of  the  Department’s  (IT)  acquisitions.  As  the  DoD  Chief 
Information  Officer  (CIO),  the  ASD(C3I)  is  responsible  for  ensuring  that  IT  is  acquired  and 
information  resources  are  managed  for  the  Department  within  an  integrated  management 
framework. 

NSS  acquisitions  will  be  reviewed  by  the  appropriate  Milestone  Decision  Authority 
(MDA)  to  ensure  they  comply  with  applicable  provisions  of  ITMRA.  Sections  5123,  5125,  and 
5126  and  51 13(b)(5)(except  for  subparagraph  (B)(iv))  apply  to  all  NSS.  Initially,  sections  5112, 
5122,  and  the  remainder  of  51 13  will  apply  to  individual  NSS  except  as  determined  not  to  be 
practicable  on  a  case  by  case  basis.  Guidance  to  assist  in  making  this  determination  will  be 
developed  by  the  offices  of  the  DoD  CIO  and  USD(A&T).  For  NSS  subject  to  review  by  the 
Defense  Acquisition  Board,  the  DoD  CIO  shall  provide  an  assessment  of  ITMRA  compliance  to 
the  MDA  through  the  DAB  integrated  product  team  (IPT)  process.  Component  Milestone 
Decision  Authorities  (MDAs)  and  CIOs  should  follow  similar  practices  for  IT  programs  subject 
to  their  review  and  approval. 

The  attached  matrix  correlates  the  ITMRA,  GPRA,  and  PRA  requirements  with  the  other 
statutory  and  DoD  regulatory  acquisition  requirements.  To  help  ensure  program  success,  IPT 
members  should  consider  these  requirements  as  programs  progress  through  the  acquisition 
process.  These  requirements  shall  be  applied,  as  appropriate  to  each  increment  of  incremental 
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and  evolutionary  programs.  To  the  maximum  extent  possible,  these  requirements  should  be 
addressed  by  incorporating  them  into  existing  acquisition  processes,  procedures,  and  documents. 

At  each  major  milestone,  the  MDA  and  the  CIO  will  address  these  requirements  as 
follows: 


Pre  Milestone  0.  Some  of  these  requirements  (those  that  address  the  need  for  IT  and  the 
processes  supported  by  IT)  are  the  responsibility  of  the  user  or  the  functional  proponent. 
Responsibility  for  ensuring  compliance  with  these  requirements  prior  to  MDA  Milestone  0 
approval  belongs  to  the  appropriate  user  or  functional  proponent  in  coordination  with  the  Joint 
Requirements  Oversight  Council  (JROC)  process,  the  Component,  or  the  Principal  Staff 
Assistant  (PSA). 


Milestones  0  through  III.  Many  of  these  requirements  are  similar  to  those  that  are 
currently  provided  in  DoD  5000,2-R  and  are,  therefore,  appropriate  for  MDA  review  at  each 
major  milestone.  For  NSS  subject  to  review  by  the  Defense  Acquisition  Board,  the  CIO  shall 
provide  the  MDA  an  assessment  of  compliance  with  these  requirements  through  the  DAB  IPT 
process. 

Post  Milestone  III.  Milestone  III  Acquisition  Decision  Memoranda  (ADMs)  will  include 
post-deployment  performance  evaluation  and  other  performance  measures  guidance,  as 
appropriate.  The  ADM  should  be  clear  that  the  user  or  functional  proponent  will  perform  this 
post-deployment  evaluation  and  provide  the  results  to  the  CIO. 


Please  submit  your  MAISRC-related  questions  to  Dr.  Margaret  Myers  at  (703)  681-4986, 
e-mail  address:  margaret.myers@osd.  mil.  Your  DAB  or  NSS-related  questions  should  be 
directed  to  Ms.  Joanne  Ferguson,  (703)  695-0906,  e-mail  address:  joanne.ferguson@osd.  mil. 
General  comments  can  be  submitted  to  either  point  of  contact. 


Paul  G.  Kaminski 
Under  Secretary  of  Defense 
(Acquisition  &  Technology) 


John  J.  Hamre 
^r  Secretary  of  Defense 
(Comptroller) 

Chief  Financial  Officer 


Emmett  I 
Assistant  Secret 
(Command,  Control,  Communications, 
and  Intelligence) 

Chief  Information  Officer 
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Secretaries  of  the  Military  Departments 
Chairman  of  the  Joint  Chiefs  of  Staff 
Under  Secretaries  of  Defense 
Director,  Defense  Research  and  Engineering 
Assistant  Secretaries  of  Defense 
General  Counsel  of  the  Department  of  Defense 
Inspector  General  of  the  Department  of  Defense 
Director,  Operational  Test  and  Evaluation 
Assistants  to  the  Secretary  of  Defense 
Director,  Administration  and  Management 
Directors  of  the  Defense  Agencies 
Directors  of  the  Field  Activities 
Service  Acquisition  Executives 

Chief  Information  Officers  of  the  Department  of  Defense 
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Assistant  Secretary  of  Defense  (Force 
Management  Policy)  Comments 


ASSISTANT  SECRETARY  OF  DEFENSE 
40CX)  DEFENSE  PENTAGON 
WASHINGTON,  DC  20301-4000 

MAR  6  2001 

FORCE  MANAGEMENT 
POLICY 

MEMORANDUM  FOR  DEPUTY  INSPECTOR  GENERAL 

Subject:  Audit  Report  on  Clinger-Cohen  Act  Certification  of  the  Defense  Civilian 
Personnel  Data  System  (DCPDS)  (Project  No.  D2000AS-0212) 

Thank  you  very  much  for  providing  the  opportunity  for  Jeanne  Fites,  Diane 
Disney,  and  me  to  meet  with  you  and  your  staff  to  discuss  our  concerns  about  the 
subject  draft  audit  report. 

As  we  mentioned,  our  first  concern  was  the  focus  of  the  report  itself.  We 
had  been  led  to  believe  that  the  audit  and  ensuing  report  would  address  Clinger- 
Cohen  certification,  using  four  systems  in  the  analysis.  The  draft,  however, 
seemed  to  concentrate  on  the  modem  Defense  Civilian  Personnel  Data  System 
(DCPDS)  and  to  evaluate  the  actions  of  its  managers  rather  than  to  address  the 
previously  stated  aims.  Therefore,  we  greatly  appreciate  your  willingness  to  recast 
the  document  to  reflect  the  stated  emphasis  on  the  certification  process  itself. 

Our  second  concern  stemmed  from  the  fact  that  the  Clinger-Cohen  Act 
(CCA)  was  enacted  in  1996.  The  analysis  and  documentation  supporting  the 
selection  of  a  commercial-off-the-shelf  (COTS)  product  (1994)  and  the  selection 
of  Oracle  Human  Resources  (1995)  were  completed  prior  to  the  CCA's  enactment. 
The  draft  report  fails  to  acknowledge  this  fact;  instead,  it  repeatedly  alleges  that 
such  analysis  and  documentation  were  not  in  compliance  with  the  CCA.  We 
believe  that  it  is  important  to  note  that  CPMS  and  DoD  followed  the  regulations, 
guidance,  and  best  practices  that  were  available  at  the  time,  many  of  which  later 
became  incorporated  in  the  CCA.  We  appreciate  your  willingness  to  have  the 
report  acknowledge  the  actual  chronology. 

We  were  also  concerned  about  the  statements  that  we  had  not  engaged  in 
sufficient  reengineering.  To  the  contrary,  the  very  existence  of  regionalization  and 
systems  modernization  constituted  a  profound  reengineering  of  the  way  the 
personnel  community  conducted  its  business.  Our  efforts  to  produce  and  release 
interim  process  improvements  (as  one  of  the  few  real  successes  of  the  Corporate 
Information  Management  effort)  marked  a  singular  effort  both  to  reengineer 
processes  and  to  train  a  computer-illiterate  workforce  in  the  use  of  new  tools. 
These  efforts  were  also  accompanied  by  a  revamping  of  the  Civilian  Personnel 
Manual,  an  effort  now  more  than  half  way  completed  that  will  eliminate  over 
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three-quarters  of  the  personnel  regulations,  thereby  greatly  streamlining 
operations.  Indeed,  few,  if  any,  functional  communities  within  the  Department 
have  so  fundamentally  changed  their  way  of  doing  business. 

As  we  discussed,  the  draft  contains  numerous  inaccurate  statements  and 
requires  clarification  in  several  areas.  For  example,  the  draft  quotes  findings  from 
the  General  Accounting  Office  (GAO)  Report  No.  99-20;  however,  it  does  not 
seem  to  acknowledge  CPMS's  efforts  to  address  GAO’s  concerns  and 
recommendations.  In  fact,  GAO  informed  CPMS  that  it  was  too  late  in  the 
process  to  apply  the  provisions  of  the  CCA  retroactively.  GAO  recommended  that 
we  should  focus  our  efforts  on  regionalization,  future  IT  benchmarking,  and 
technology  refresh.  We  believe  that  the  draft  needs  revision  to  remove  misleading 
comments.  As  promised,  the  attachment  provides  details  that  should  help  address 
some  information  gaps  and  add  clarification. 

We  believe  that  the  acquisition  of  the  modern  DCPDS  was  in  full 
compliance  with  all  legal  and  regulatory  requirements,  the  documentation  was 
appropriate  and  timely,  and  the  analysis  was  sufficient.  Regionalizing  civilian 
personnel  service  delivery  and  modernizing  the  supporting  information  system 
will  improve  the  quality  of  the  service  and  provide  substantial  cost  savings  to  the 
Department.  As  we  discussed,  it  is  inappropriate  to  base  program  management 
accountability  on  retroactive  application  of  policies  and  procedures.  We  believe 
that  DoD  not  only  complied  with  the  statutory  and  regulatory  requirements  that 
were  in  effect  when  key  decisions  were  made  but  also  followed  the  best  industry 
practices  for  those  areas  where  specific  guidance  was  lacking.  Per  DoD  guidance, 
CPMS  adapted  to  policy  and  procedural  changes  as  the  program  evolved.  Our 
attached  comments  support  this  position. 

Again,  we  appreciate  the  opportunity  to  share  our  comments,  and  we 
particularly  appreciate  the  agreement  already  reached  to  delete  the  reference  to  add 
security-related  information  to  the  users'  manual.  We  look  forward  to  working 
with  you  on  the  next  iteration.  My  point  of  contact  is  Ms.  Cheryl  Fuller  at  703- 
696-1982. 


Acting  Assistant  Secretary 


Attachment: 
As  stated 
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Final  Report 
Reference 


CPMS  COMMENTS  ON 

THE  DOD  INSPECTOR  GENERAL  DRAFT  PROPOSED  AUDIT 
REPORT:  CLINGER-COHEN  ACT  CERTIFICATION  OF  THE  DEFENSE 
CIVILIAN  PERSONNEL  DATA  SYSTEM  (PROJECT  NO.  D2000AS-0212) 

Comments  are  presented  in  three  major  categories: 

•  Comments  on  Findings 

•  Comments  on  Recommendations 

•  General  Comments  to  Statements  made  in  the  Draft 

I.  COMMENTS  ON  FINDINGS  (Page  4) 

I-A.  DoD  IG  Finding: 

Previously  identified  CCA  compliance  issues  had  not  been  fully  resolved,  and  relevant  data  were 
not  adequately  analyzed. 

CPMS  Comments:  Non-concur 

The  referenced  GAO  report  recognizes  that  the  Clinger-Cohen  Act  was  not  in  existence  when 
DoD  made  the  initial  decision  in  developing  the  modem  DCPDS.  The  selection  and 
development  of  the  modem  DCPDS  followed  acquisition  regulations  and  guidelines  that  were  in 
existence  at  the  time  the  initial  decisions  were  made.  Every  effort  was  made  to  balance  sound 
objective  data  with  business-based  decisions.  Initial  estimates  of  costs,  benefits,  and  returns 
were  adequate  to  ensure  that  the  concept  of  regionalizing  civilian  personnel  service  delivery  and 
modernizing  the  supporting  information  system  would  provide  substantial  cost  savings. 

The  DoD  IG  did  not  consider  ongoing  interaction  between  GAO  and  CPMS  action  officers 
subsequent  to  the  publication  of  the  GAO  report.  During  this  time,  GAO  officials  assigned 
CPMS  priority  actions  they  wanted  accomplished.  GAO  indicated  that  its  first  priority  was  for 
the  Department  to  evaluate  the  current  regional  service  stmcture  and  staff  stmctures  to  ensure 
they  were  optimal.  The  Department  did  this  and  is  currently  staffing  the  draft  reports.  GAO  also 
indicated  it  was  inappropriate  to  evaluate  other  commercially  available  products  at  that  time. 

The  DoD  IG  Audit  Follow-up  Office  was  advised  of  all  actions  taken  by  CPMS  as  well  as 
conversations  with  GAO  regarding  this  matter,  and  that  office  provided  no  comments  to  indicate 
that  CPMS  was  not  pursuing  the  correct  actions. 

Based  on  discussions  with  GAO,  subsequent  to  the  publication  of  the  GAO  report  in  January 
1999,  we  have  taken  steps  to  address  and  satisfy  GAO  priorities.  As  discussed  above,  GAO 
action  officers  indicated  it  was  too  late  in  the  program  to  determine  whether  the  selection  of 
Oracle  HR  was  optimal.  Rather  GAO  indicated  that  we  should  continuously  evaluate  new  HR 
software  applications  that  could  enhance  the  cost  savings  realized  by  the  modem  DCPDS. 
Recommend  this  finding  be  dropped  based  on  the  information  provided  here  and  later  in  the 
general  comments. 
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I-B.  DoD  IG  Finding: 

Key  acquisition  documents  either  were  not  prepared  or  were  not  prepared  and  approved  in  a 
timely  manner,  and  were  not  regularly  updated. 

CPMS  Comments:  Non-concur 

We  disagree  with  this  finding  and  recommend  that  it  be  dropped.  We  regularly  updated  program 
documentation  and  prepared  key  acquisition  documentation  in  conjunction  with  the  Major 
Automated  Information  System  Council  (MAISRC)  process.  Prior  to  each  Milestone  review, 
CPMS  provided  copies  of  all  required  program  documentation.  MAISRC  officials  were 
provided  status  updates  and  copies  of  program  documentation  during  the  AOIPTs  for  review  and 
comment.  Unlike  Component-  specific  programs,  modem  DCPDS  is  a  DoD-wide  program  and 
required  extensive  coordination  to  gain  approval  from  the  Military  Services  and  Defense 
agencies,.  This  process  took  an  extensive  amount  of  time;  however,  documents  rarely  changed 
from  the  drafts  provided  to  the  AOIPT  for  review.  The  MAISRC  members  were  fully  aware  of 
the  process  required  for  coordination  and  were  satisfied  with  our  progress.  At  no  time  was 
CPMS  working  in  isolation  from  MAISRC  members.  As  the  program  evolved,  we  regularly 
updated  the  documentation  for  the  program  as  required.  The  AOIPT  regularly  addressed  the 
status  of  program  documentation  and  provided  guidance  when  documents  needed  revision. 
Program  documents  were  submitted  to  the  appropriate  officials  on  time,  despite  the  official 
publication  and  signature  date. 

By  summarizing  what  happened  with  regard  to  four  key  documents  throughout  the 
program's  life,  the  following  table  shows  how  and  when  documentation  was  prepared,  approved, 
and  regularly  updated. 


Acquisition  Program  Baseline  (APB) 

Document  Date 

Document 

Comments 

June  30,  1995 

Original  Acquisition 
Program  Baseline 
(APB)  Document 

Document  required  by  Milestone  0 
System  Decision  Memorandum 
(SDM)  for  next  Milestone  review. 
Document  provided  to  Major 

Automated  Information  Systems 
Requirements  Council  (MAISRC)  for 
Milestone  VH  Review. 

Approved  on  August  16,  1995  by 
SAF/AQK.  Document  provided  to 
MAISRC  in  November  1995,  as  read 
ahead  material  for  Milestone  I/II 
review. 

October  3,  1996 

APB  Approved 

Document  developed  based  on  the 

May  20,  1996  Milestone  I/II 

Acquisition  Decision  Memorandum 
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(ADM).  APB  was  approved  by 
ASD(FMP). 

June  23,  1997 

APB  Approved 

After  December  1996  briefing,  the 
OASD(C3I)  requested  that  the  APB  be 
updated  to  define  program  life  cycle 
costs  in  greater  detail  before  signing. 
APB  was  again  approved  by 

ASD(FMP). 

February  25, 1998 

APB  Signed 

As  a  result  of  a  July  3,  1997  ADM, 
CPMS  was  required  to  update  the 

APB.  This  document  was  coordinated 
with  all  Component  PMs  and 
Comptroller  representatives,  signed  by 
ASD(FMP)  and  PDASD(C3I)  and 
copy  provided  to  AOIPT. 

October  15, 1998 

APB  Revision  1  Signed 

Document  revised  to  reflect  program 
breach  in  cost  schedule.  Document 
coordinated  with  all  Component  PMs 
and  Comptroller  representatives, 
signed  by  PDASD(FMP)  and 

ASD(C3I),  and  copy  provided  to 
AOIPT. 

Octobers  11,  1999 

APB  Revision  2  Signed 

Revised  to  include  changes  made  to 

Key  Performance  Parameters  (KPPs) 
and  critical  technical  parameters  based 
on  the  November  1999  ORD.  This 
document  was  coordinated  with  all 
Component  PMs  and  Comptroller 
representatives,  signed  by 
PDASD(FMP)  and  ASD(C3I),  and 
copy  provided  to  AOIPT. 

Operational  Requirements  Document  (ORD) 

Document  Date 

Document 

Comments 

October  1995 

Original  ORD 

Approved 

Document  required  by  the  May  23, 

1995  Milestone  0  SDM  for  next 
Milestone  review.  Document 
provided  to  MAISRC  in  November 
1995,  as  read  ahead  material  for 
Milestone  VU  review. 

April  25,  1996 

ORD  Signed 

Revised  ORD  based  on  the  May  20, 
1996  Milestone  l/II  ADM  and  signed 
by  acquisition  PM  (APM)  and 
functional  PM  (FPM).  AOIPT 
advised  APM  and  FPM  that  document 
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must  be  approved  by  the  ASD(FMP). 
Document  revised  and  staffed  for 
signature. 

Octobers,  1996 

ORD  Approved 

ORD  revised  based  on  AOIPT 
direction,  as  mentioned  above.  ORD 
approved  by  ASD(FMP). 

September  19,  1997 

ORD  Updated 

As  a  result  of  a  July  3, 1997  ADM, 
CPMS  was  required  to  update  the 

ORD.  Update  included  a 
requirements  correlation  matrix,  a 
Customer  User  Agreement,  and  KPPs. 
Update  provided  to  AFOTEC  and 
SAF/AQK. 

November  1998 

ORD  Reviewed 
(adequacy  and 
consistency) 

Based  on  new  Test  and  Evaluation 
Master  Plan  (TEMP),  review 
requested  by  AOIPT. 

November  23, 1999 

ORD  Revised 

Updated  KPPs  and  the  critical 
technical  parameters.  ORD  signed  by 
APM  and  FPM  after  coordination. 

Copy  provided  to  the  Overarching  IPT 
for  Milestone  III  review. 

Test  and  Evaluation  Master  Plan  (TEMP) 

Document  Date 

Document 

Comments 

October  1995 

Original  TEMP 

Document  required  by  Milestone  0 

SDM  for  next  Milestone  review. 
Document  provided  to  MASRC  in 
November  1995,  for  Milestone  I/II 
Review.  Signed  by  APM  and  FPM 
and  formally  reviewed  by  AFOTEC 
and  SAF/AQK. 

April  25,  1996 

TEMP  Signed 

Air  Force  Test  &Evaluation  approved 
on  November  15,  1996. 

August  1997 

TEMP  Workgroup 
Established 

As  a  result  of  a  July  3,  1997,  ADM,  an 
update  the  TEMP  was  required.  The 
program  office  updated  the  TEMP  as 
required  but  had  difficulty  obtaining 
coordination.  AIOPT  established  a 
critical  process  action  team  to  resolve 
issues  with  the  TEMP  and  expedite 
coordination.  First  meeting  held 
October  15,  1997.  The  TEMP  was 
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finalized  September  28,  1998. 

September  28,  1998 

TEMP  Signed 

TEMP  signed.  Copy  used  by  the 
Overarching  IPT  for  May  2000 
Milestone  III  review. 

Economic  Analysis  (EA) 

Document  Date 

Document 

Comments 

December  29, 

1994 

PA&E  Cost  Analysis 
Approved 

By  memorandum  dated  December  29, 
1994,  Mr.  Paige  (OSD/C3I)  indicated 
that  the  PA&E  Cost  Analysis  was 
sufficient  as  an  approved  economic 
analysis  (EA)  for  the  modem  DCPDS. 
During  Milestone  0  review,  the  PA&E 
staff  concluded  the  EA  should  be 
revalidated  using  the  latest  cost 
projections. 

December  1995 

1995  EA- Initial 
Preparation 

Copy  provided  in  November  1995  to 
the  MAISRC  for  the  Milestone  I/II 
review. 

January  17,  1996 

1996  EA  -  Update  of 

95  EA 

Copy  provided  to  AOIPT. 

September  29,  1997 

1997  EA- update  of 

96  EA 

As  a  result  of  a  July  3,  1997  ADM,  we 
were  required  to  update  the  EA.  Copy 
provided  to  the  AOIPT. 

September  20,  1998 

1998  EA  -  Update  of 

97  EA 

Copy  provided  to  AOIPT. 

January  2000 

1999  EA  -  Update  of 

98  EA 

Copy  provided  to  the  Overarching  IPT 
for  the  May  2000  Milestone  IB 
review. 

I-C.  DoD  IG  Finding: 

CIO  management  controls  for  overseeing  the  DCPDS  development  did  not  provide  active 
oversight  participation  and  involvement  by  senior  DoD  advisors  at  key  decision  points  or 
adequate  and  ongoing  direction  and  guidance  to  the  DCPDS  Program. 

CPMS  Comments:  Non  concur 

We  disagree  with  this  finding.  Senior  oversight  officials  were  involved  in  the  process,  including 
representatives  from  acquisition,  testing,  security,  Comptroller,  C3I,  and  the  Components. 
Throughout  the  process  the  senior  DoD  advisors  were  kept  abreast  of  the  program  by  their 
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representatives  on  the  Acquisition  Oversight  IPT,  and  through  these  representatives  they 
provided  ongoing  direction  and  guidance  on  key  decisions.  While  there  was  no  formal  meeting 
of  the  Overarching  IPT,  several  times  during  the  process  as  key  decision  points  were  reached,  the 
Deputy  Assistant  Secretary  of  Defense  (Civilian  Personnel  Policy)  and  the  Director,  CPMS  met 
with  Overarching  IPT  members  to  discuss  these  key  program  decisions. 


II.  COMMENTS  ON  RECOMMENDATIONS  (Pages  15-16) 

II-A.  DoD  IG  Recommendation: 

1.  We  recommend  that  the  Chief  Information  Officer,  DoD,  Assistant  Secretary  of  Defense 
(Command,  Control,  Communications,  and  Intelligence): 

c.  Implement,  in  coordination  with  the  Director,  Civilian  Personnel  Management 

Service,  standard  DoD  performance  measures  for  the  Defense  Civilian  Personnel  Data 
System. 

CPMS  Comments:  Non-concur 

Performance  measures  for  DCPDS  appear  to  be  measures  on  how  well  work  is  being  performed 
in  the  operating  personnel  offices.  Therefore,  we  do  not  believe  that  it  is  appropriate  for  the  CIO 
to  be  involved  in  implementing  these  performance  measures.  However,  performance  measures 
specifically  for  the  modem  DCPDS  have  been  established  as  key  performance  parameters 
outlined  in  our  Operational  Requirements  Document  (ORD)  and  indicate  the  required  level  of 
system  performance  to  support  civilian  personnel  operations.  Additionally,  performance 
measures  have  been  developed  to  guide  the  performance  of  our  operation,  sustainment,  and 
maintenance  contractor  to  ensure  that  the  modem  DCPDS  is  operated  and  available  to  the 
personnel  community  in  the  most  efficient  manner.  The  Defense  Logistics  Agency  Contracting 
Office  has  reviewed  these  performance  measures  for  adequacy. 

We  recommend  that  1-c  be  deleted  or  at  a  minimum  revised  to  read:  "Coordinate  on  the  DoD 
standard  performance  measures  developed  by  the  Director,  Civilian  Personnel  Management 
Service  for  the  Defense  Civilian  Personnel  Data  System."  While  we  agree  that  the  CIO  needs  to 
be  aware  of  this  effort,  this  recommendation  is  more  appropriately  assigned  to  the  Director, 
CPMS. 


II-B.  DoD  IG  Recommendation: 

1 .  We  recommend  that  the  Chief  Information  Officer,  DoD,  Assistant  Secretary  of  Defense 
(Command,  Control,  Communications,  and  Intelligence): 

d.  Provide  oversight  of  the  Defense  Civilian  Personnel  Data  System  program  acquisition 
and  management  responsibilities  performed  by  the  Civilian  Personnel  Management 
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Service  during  Phase  in  and  enforce  the  requirements  of  the  acquisition  decision 
memorandum. 

CPMS  Comments:  Non-concur 

In  an  information  technology  acquisition  program  such  as  modem  DCPDS,  Phase  III  involves 
logistics  management  and  only  residual  acquisition  responsibilities.  CPMS  regularly  reports  the 
status  of  accomplishing  the  requirements  of  the  acquisition  decision  memorandum  to  C3I,  and 
provides  quarterly  Defense  Acquisition  Executive  Summary  (DAES)  reports.  Recoirunend  this 
be  dropped. 

II-C.  DoD  IG  Recommendation: 

2.  We  recommend  that  the  Director,  Civilian  Personnel  Management  Service,  before  deploying 
the  Defense  Civilian  Personnel  Data  System  to  further  sites; 

a.  Appropriately  secure  all  interfaces  between  the  Defense  Civilian  Personnel  Data  System 
and  other  automated  systems. 

CPMS  Comments:  This  recommendation  should  be  removed. 

We  have  already  ensured  that  all  our  interfaces  are  appropriately  secure  and  will  continue  to 
monitor  interface  security  throughout  deployment.  A  rigorous  risk  analysis  was  conducted  on 
the  modem  DCPDS,  to  include  existing  interfaces.  Based  on  the  formal  operational  security  test 
and  evaluation,  the  Designated  Approving  Authority  (DAA)  provided  full  security  accreditation 
for  the  modem  DCPDS  on  February  22,  2000.  Because  the  DAA  accepted  the  system  risks  and 
mitigating  circumstances  for  the  modem  DCPDS  and  its  interfaces,  a  delay  in  deployment  is 
unwarranted  and  unnecessary.  The  issue  of  risk  associated  with  interfaces  has  been  addressed  by 
the  modem  DCPDS  Computer  Security  Work  Group  (CSWG)  and  with  the  sustainment 
contractor.  CPMS  has  coordinated  with  DFAS  on  our  single  interface  (two-way  data  feed)  that 
exists  between  our  system  and  the  payroll  system.  DFAS  does  not  have  plans  to  encrypt  this 
data.  It  is  clear  that  as  the  modem  DCPDS  evolves,  the  CSWG  must  review  additional  and  new 
data  feeds,  and  determine  security  protection  requirements  for  systems  certification.  We  also 
recommend  revision  of  the  section  on  Assessment  of  DCPDS  Information  Assurance. 

II-D.  DoD  IG  Recommendation: 

2.  We  recommend  that  the  Director,  Civilian  Personnel  Management  Service,  before  deploying 
the  Defense  Civilian  Personnel  Data  System  to  further  sites; 

b.  Update  the  Defense  Civilian  Personnel  Data  System  Users  Manual  to  adequately  define 
password  characteristics  and  procedures  to  avoid  unauthorized  use  of  terminals,  and  to 
aid  in  the  appropriate  marking  of  sensitive  data. 
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CPMS  Comments:  We  understand  that  this  recommendation  has  been  removed.  We  agree  with 
and  appreciate  that  removal. 


m,  GENERAL  COMMENTS  TO  STATEMENTS  MADE  IN  THE  DRAFT 
REPORT; 

The  following  comments  relate  directly  to  the  draft  report  section  heading  in  bold. 

in-A.  Previously  Identified  CCA  Problems  (Page  5) 

Please  see  comments  on  Page  1,  under  item  I- A. 

DoD  Investment  in  DCPDS  (Page  6) 

Based  on  discussions  with  GAO,  subsequent  to  the  publication  of  the  GAO  report  in  January 
1999,  we  have  taken  steps  to  address  and  satisfy  GAO  priorities.  As  discussed  above,  GAO 
action  officers  indicated  it  was  too  late  in  the  program  to  determine  whether  the  selection  of 
Oracle  HR  was  optimal.  Rather,  GAO  indicated  that  we  should  continuously  evaluate  new  HR 
software  applications  that  could  enhance  the  cost  savings  realized  by  the  modem  DCPDS. 
Recommend  this  paragraph  be  dropped  based  on  these  comments  and  the  comments  included 
later  on  the  Analysis  of  Alternatives  and  Economic  Analysis. 

Business  Process  Reengineering  (Page  6) 

We  disagree  with  the  conclusion  that  “CPMS  officials  did  not  critically  examine  and  redesign 
their  mission  delivery  processes,  as  a  whole,  to  achieve  the  greatest  possible  benefits  before 
deciding  to  invest  in  the  modem  DCPDS.”  The  Department  has  dramatically  changed  the 
fundamental  way  it  delivers  civilian  personnel  services,  given  the  current  constraints  of  Federal 
personnel  management  laws.  Over  the  past  decade,  the  Department  conducted  numerous 
workgroups  and  studies  that  looked  at  the  various  aspects  of  the  civilian  personnel  function  to 
identify  those  areas  that  could  benefit  from  reengineering  improvements.  The  Department's 
decision  to  regionalize  the  delivery  of  personnel  services  and  modernize  its  information  system 
resulted  from  these  studies  and  workgroups.  Additionally,  these  studies  provided  the  basis  for 
the  civilian  personnel  function  to  move  toward  a  unified  policy  framework,  and  to  consolidate 
common  operating  functions  and  services  into  a  single  delivery  source.  By  themselves,  these 
decisions  represented  a  fundamental  reengineering  of  processes. 

In  identifying  these  sub-areas  for  further  reengineering  improvements,  the  civilian  personnel 
community  critically  examined  and  redesigned  its  business  processes  to  the  extent  possible,  prior 
to  selection  of  a  COTS  product  and  prior  to  the  establishment  of  CPMS.  In  this  way,  the 
Components  revolutionized  the  delivery  of  HR  support  services.  The  creation  of  CPMS,  the 
implementation  of  new  processes,  and  the  decision  to  move  to  a  single  automated  HR  support 
system  evidenced  this  revolution.  However,  these  efforts  were  implemented  incrementally  to 
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avoid  disruption  of  ongoing  HR  support  operations  while  we  were  simultaneously  managing  the 
DoD  downsizing  and  reducing  the  ranks  of  the  personnel  community  itself.  This  incremental 
approach  may  have  diminished  the  visibility  of  these  changes,  but  not  their  effects.  Ultimately, 
the  selected  COTS  software  product  supports  the  reengineered  business  processes  and  the 
regionalized  infrastructure. 

DoD  considers  its  current  regionalization  and  systems  modernization  initiative  a  continuing  and 
evolutionary  reengineering  improvement  program  effort.  DoD  gave  the  Components  a  DoD 
regionalization  configuration  model  to  design  the  regional  structures.  Some  deviations  to  the 
model  were  allowed  to  test  the  efficiency  and  effectiveness  of  different  operating  methods, 
allowing  the  Department  to  consider  best  practices  for  future  program  improvements.  DoD  has 
been  recognized  as  a  leader  in  reengineering  and  establishing  best  practices  among  HR 
operations. 

It  is  important  to  consider  the  extent  to  which  the  civilian  personnel  function  is  regulated  and 
governed  by  Public  Law  implemented  by  Federal  rules  and  regulations.  These  rules  and 
regulations  are  binding  on  the  DoD  personnel  community  and  must  be  followed,  thereby 
affecting  the  extent  to  which  a  process  can  be  reengineered  within  the  personnel  function. 
Additionally,  many  changes  affecting  the  civilian  workforce  must  be  negotiated  with  the  unions. 
For  example,  in  the  Fall  of  1997,  we  kicked  off  a  huge  reengineering  effort  in  partnership  with 
union  officials  attempting  to  change  several  personnel  processes.  However,  aside  from  the  area 
of  workforce  transition,  we  were  unable  to  change  the  personnel  processes  because  union 
officials  resisted  the  proposed  changes. 

We  recommend  revision  of  this  section. 

Analysis  of  Alternatives  and  Economic  Analysis  (Pages  6-7) 

We  disagree  with  the  statement,  “DoD  had  no  conclusive  evidence  that  its  investment  in  DCPDS 
was  optimal.”  CPMS  conducted  an  extensive  analysis  of  alternatives  prior  to  making  a  COTS 
selection  recommendation.  After  an  exhaustive  search  for  available  software  and  identification 
of  such  packages,  the  list  was  refined  to  only  three  packages  that  could  support  the  massive 
Department  of  Defense  requirements.  Once  the  three  packages  were  identified,  we  conducted  a 
second,  more  detailed  evaluation  of  each  vendor’s  product.  Cost  was  one  of  the  factors 
evaluated,  but  there  were  several  others,  including  market  presence,  implementation  support, 
extensibility,  graphical  user  interface,  technical  features  and  functionality.  All  evaluated 
categories  were  assigned  a  weighting  factor,  and  each  product  was  scored  independently.  The 
total  scores  were  calculated,  and  each  product  was  ranked  in  order  of  score,  with  the  Oracle  HR 
product  scoring  well  above  the  other  two  packages.  All  of  the  DoD  Components  were  engaged 
in  review  of  those  data.  The  Acquisition  Program  Manager  was  then  authorized  to  use  this 
information  and  purchase  the  alternative  that  was  the  most  cost  efficient  and  appropriate  for  the 
government. 

As  an  indicator  of  the  evidence  of  the  positive  value  of  DoD’s  investment  in  the  modem 
DCPDS,  the  CIO’s  certification  cited  a  return  on  investment  of  72.6  percent  for  FY  2000  through 
2010,  with  an  annual  projected  savings  of  $223  million  per  year. 
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Performance  Measures  (Page  7) 

The  DoD  IG  indicated  that  CPMS  did  not  have  a  common  base  from  which  to  measure  DCPDS 
performance  gains.  However,  the  CPMS -developed  1994  DoD  Regionalization  Planning 
Guidance  required  Components  to  establish  a  baseline  against  which  the  effects  of 
regionalization  and  systems  modernization  could  be  measured  and  assessed.  The  Components 
developed  and  secured  approval  of  a  core  evaluation  plan  to  assess  the  effects  of  the 
Regionalization  and  Modernization  Program  on  the  quality  and  cost  of  the  delivery  of  civilian 
personnel  services.  The  evaluation  framework  was  set  forth  by  CPMS  and  agreed  to  by  the 
Components.  The  plan  requires  Component  baseline  evaluations,  periodic  progress  reviews,  and 
post-regionalization  evaluations.  The  ratio  of  Personnel  Specialist  to  people  supported  was 
selected  as  the  primary  cost  measurement.  Efficiency  and  effectiveness  were  defined  as 
customer  satisfaction,  process  cycle  time,  and  regulatory  compliance.  The  baseline  evaluation 
plan  requires  that  each  Component  track  its  current  performance.  The  baseline  data  were 
collected  to  enable  Defense  to  determine  whether  the  modem  system  and  business  strategies  are 
achieving  predicted  cost  and  performance  improvements.  Until  regionalization  and 
modernization  efforts  are  complete,  the  data  will  not  support  a  conclusive  evaluation. 

DoD  is  in  the  process  of  establishing  standardized  metrics  with  standard  definitions.  The 
modem  DCPDS  has  a  productivity  measurement  module  with  the  capability  of  recording  and 
storing  data  about  key  events  that  occur  in  the  HR  process.  The  functionality  of  this  productivity 
module  will  allow  all  DoD  Components  to  capture  performance  data  in  a  standard  automated 
manner.  No  baseline  has  been  established  using  this  particular  productivity  module  because  the 
modem  DCPDS  has  not  been  fully  or  sufficiently  fielded.  When  properly  fielded,  this  tool  will 
allow  the  Components  to  capture  and  report  a  standard  set  of  productivity  data  and  provide  the 
basis  for  improvement  measurements  across  the  Department. 

Throughout  the  regionalization  process,  the  Components  have  used  comprehensive  metrics 
systems  based  on  DoD  guidance  to  track  the  timeliness,  reliability,  and  volume  of  their  work. 
They  use  these  tools  to  gather  and  relay  information  to  managers,  and  to  operate  and  identify 
resources  needed  for  human  resources  operations.  Though  the  tools  used  vary  among  the 
Components,  there  is  commonality  among  the  performance  measures  since  the  Components  all 
perform  the  same  core  human  resources  functions.  The  collection  of  performance  measurement 
data  by  the  Components  also  meets  the  requirements  to  comply  with  the  Government 
Performance  and  Results  Act  of  1993. 

We  believe  that  the  DoD  IG  assessment  in  this  area  is  premature  and  does  not  reflect  DoD  efforts 
to  date.  We  recommend  revision  of  this  section. 

III-B.  Key  Documentation  for  Milestone  Reviews  (Page  10) 

Contrary  to  the  statement  that  “The  Milestone  Decision  Authority  did  not  ensure  that  key 
documentation  for  the  DCPDS  was  prepared  for  consideration  during  milestone  decisions,” 
CPMS  provided  copies  of  all  required  program  documentation  prior  to  each  Milestone  review. 
Further,  we  question  the  statement  that  “Therefore,  it  is  unclear  whether  the  original  milestone 
decision  was  nullified.  Overall,  a  final  Milestone  I  or  II  decision  by  the  MDA  was  not 
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documented.”  We  received  a  Milestone  I  decision  on  May  20,  1996,  subject  to  submission  of  an 
approved  Acquisition  Program  Baseline  (APB),  Operational  Requirements  Document  (ORD), 
and  Test  and  Evaluation  Master  Plan  (TEMP)  to  the  MAISRC.  These  documents  were 
submitted  and  the  Milestone  I  decision  was  not  nullified.  Therefore,  there  is  no  basis  for  the 
comment  in  the  draft.  (The  table  presented  earlier  in  this  document  provides  further  details.) 


III-C.  Milestone  Exit  Criteria  (Page  11) 

The  report  states  “The  May  20,  1996,  ADM  provided  Milestone  I  approval  pending  the 
submission  by  July  1996  of  an  approved  Operational  Requirements  Document,  an  Acquisition 
Program  Baseline,  and  a  Test  and  Evaluation  Master  Plan.  DCPDS  Program  officials  should 
have  developed,  approved,  and  submitted  the  key  documents  for  consideration  before  the 
Milestone  I  decision,  but  did  not  submit  them  to  the  CIO  in  final  form  until  4,  21,  and  31  months, 
respectively,  after  the  Milestone  I  decision.”  As  reflected  in  the  table  presented  earlier,  we 
disagree  with  this  assessment.  In  late  November  of  1995,  CPMS  assembled  binders  containing 
all  signed  documentation  and  delivered  copies  to  all  MAIS  members  (read-ahead  for  a  Milestone 
I  and  Milestone  n  approval  meeting).  Included  in  those  binders  were  copies  of  the  TEMP  and 
ORD  that  had  been  signed  and  approved  by  both  the  Functional  Program  Manager  and  the 
Acquisition  Program  Manager  in  October  1995.  In  a  December  1995  meeting  with  MAIS 
members,  revisions  to  both  the  TEMP  and  ORD  were  directed.  In  Febmary  1996,  a  meeting  was 
held  between  Component  representatives  and  AFOTEC  to  revise  the  ORD  in  accordance  with 
AFOTEC  guidelines.  CPMS  made  the  revisions  to  the  ORD  and  the  revised  document  was 
signed  in  April  1996  (later  revised  for  Milestone  HI).  The  MAIS  directed  that  additional 
signature  lines  be  added  to  the  TEMP.  A  series  of  meetings  was  held  to  get  all  parties  to  agree  to 
sign  the  TEMP.  It  should  be  noted  that  most  of  these  meetings  resulted  in  only  minor  changes, 
while  the  overall  intent  and  major  focus  of  the  documents  never  changed.  Nevertheless,  final 
approval  was  delayed. 

As  for  the  APB,  the  original  document  was  completed  in  June  1995.  The  final  document  was 
delayed  pending  signature  by  Component  Comptrollers  to  certify  the  funding  lines.  That  final 
APB  included  the  key  performance  parameters  specified  in  the  ORD,  and  was  approved  for  all 
purposes  minus  Component  Comptroller  signatures.  However,  as  the  program  continued,  and 
the  schedule  changed,  the  numbers  also  changed.  Instead  of  submitting  an  APB  that  had  to  be 
changed  immediately,  we  were  tasked  with  updating  the  numbers  and  running  the  document 
through  the  approval  chain  again.  Unlike  Component  specific  programs,  this  process  took  an 
extensive  amount  of  time  due  to  the  number  of  players.  The  document  did  not  change 
significantly  other  than  the  funding  lines.  MAIS  members  were  fully  aware  of  the  process  and 
were  satisfied  with  the  document.  At  no  time  was  CPMS  working  in  isolation  from  MAIS 
members.  At  every  review,  we  provided  updates  on  document  status,  and  members  always  had 
the  latest  draft  document. 

III-D.  Conclusion  (Page  15) 

Page  15  of  the  draft  audit  report  states  that  “...GAO  recently  reported  that  DCPDS  development 
was  not  compliant  with  the  CCA.”  This  is  inaccurate.  In  fact,  GAO  recognized  that  the  CCA 
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was  not  passed  until  after  modem  DCPDS  development  had  begun.  The  GAO  report  did  not 
assess  DoD  compliance  with  CCA;  rather,  it  evaluated  whether  DoD  had  applied  the  principles 
of  CCA,  which,  according  to  GAO,  reflected  widely  accepted  system  acquisition  management 
practices. 

III-E.  APPENDIX  B.  Defense  Civilian  Personnel  Data  System  (Page  20) 

Estimated  Costs  of  the  DCPDS  Program. 

We  recommend  that  the  DoD  IG  replace  the  Appendix  B,  Estimated  Costs  of  DCPDS  Program 
section,  with  the  following  estimated  costs  of  the  Regionalization  and  Systems  Modernization 
Program.  The  total  Regionalization  and  Systems  Modernization  program  cost,  which  includes 
the  regionalization  of  civilian  HR  operations  and  the  modernization  of  the  HR  information 
system,  was  $378M  as  of  May  2000,  with  93  percent  ($35 IM)  of  its  program  cost  spent  through 
FY  1999.  The  estimated  cost  of  the  modem  DCPDS  portion  of  the  program,  as  of  May  2000, 
was  $196M,  with  88  percent  ($172M)  spent  through  FY  1999.  The  systems  modernization  cost 
consists  of  the  entire  cost  to  complete  development,  conduct  testing,  and  obtain  functional 
implementation  of  the  modem  DCPDS,  including  sunk  and  future  costs  required  to  deploy  the 
system  to  all  sites.  The  systems  modernization  costs  do  not  include  DCPDS  legacy  systems 
operations  costs.  The  Regionalization  and  Systems  Modernization  program’s  estimated  life- 
cycle  costs  for  FY  1995  through  FY  2010  total  approximately  $1.3  billion. 

in-F.  APPENDIX  C.  Timeline  of  Major  DCPDS  Program  Documentation 
(Page  22) 

Additional  changes  should  be  made  to  reflect  the  following  Program  Documentation  Timelines: 

June  1995  Original  Acquisition  Program  Baseline  Developed 

October  1995  Original  Operational  Requirements  Document  Approved 

October  1995  Original  Test  and  Evaluation  Master  Plan  Approved 

October  1996  Initial  Operational  Requirements  Documents  Signed 
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